[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Fri May 23 17:06:13 UTC 2008

[I had promised myself and others I wouldn't post on this topic  
further.  I am breaking that promise because I believe Daniel is  
trying to obfuscate a sucking chest wound in the Internet architecture  
with platitudes and handwaving.  I'm weary of it.  This will be my  
last post as I will be filtering out this subject line in the future.]


On May 23, 2008, at 1:15 AM, Daniel Karrenberg wrote:
> We have independent, clearly defined, open and transparent  
> governance processes for this.

Can you provide me with the URL where these processes clearly defined?

> In
> addition to this blatant example it is important to realise, that any
> DNS name server operator is rightfully held accountable for the  
> quality
> of service at the network layer address of its service.

Could you point me to your published service level guarantees?  How  
about the mechanisms, including penalties, that would encourage you to  
remedy the situation in the event that RIPE-NCC does not live up to  
those service metrics?  How about your policies or statements about  
not modifying root zone data as it is presented to the root servers?   
A statement about non-discriminatory access (e.g., refusing to serve  
requests from a particular community)?  How would, say, a TLD operator  
who had operational issues because a root server failed to update  
their zone in a timely manner (which has occurred on several occasions  
when I was at IANA) go about getting compensated for lost business or  

> my erception of your line of reasining is that centralised control by
> ICANN may look more convenient to you and that you support the efforts
> of ICANN to implement such control through contracts or through ICANN
> having authority over the IP addresses of the root name servers.

I will point out again that no where have I stated that I believe  
ICANN should have contracts or centralized control (in fact have  
suggested the opposite).  This is a very tired old red herring.

If you actually read what I wrote, I am arguing that the IP addresses  
for the root servers be fixed by the IETF (not ICANN).  I specifically  
did not raise the topic of how an organization would be disassociated  
or (re-)associated with one of the IETF-defined "golden" root server  
address as I pointed out that is a layer-9 issue.  I did not say that  
ICANN would even have a role in that disassociation/(re-)association  

The reaction from individuals within the root server community to this  
suggestion is treating it as a threat or to attack me personally as  
being on a "warpath" or engaging in "dismissive derisive sarcasm".  As  
I said, this is not unexpected -- historically, any attempt to change  
the status quo in a monopolistic system results in remonstrations that  
everything is working fine the way it is (despite evidence to the  
contrary), complaints of ulterior motives, FUD-spreading, etc.  Seen  
it in the telco world and other businesses, it isn't too surprising to  
see it here.

> Let us not take things our of proportion.  DNS (root) name service has
> been reliable and highly available for decades.

Indeed, and I'm sure we're all quite thankful (honestly) that the root  
server operators, by and large, have done a reasonable job since there  
is nothing that actually requires them to do so.  Of course, this  
wasn't always the case and every now and then there are issues, but by  
and large, things work OK.  At least for now.

"Past behavior does not guarantee future performance."

> Both operation and governance have evolved successfully.

I would agree that operation has evolved.  Heck, I remember when the  
root servers weren't anycast (and your arguments that everything was  
fine back then too).  I would be very interested in seeing how you  
might justify the statement that "governance has evolved  
successfully."  You appear to be saying "the root server operators  
work fine, except when they don't and everything is open, transparent  
and accountable, except when it isn't.  So everything is good and  
nothing needs to change."  I find this sad.

In any event, when I responded to this thread, I was under no illusion  
that anything would actually change.  Even if the IETF were to come  
out with a "golden" root server address RFC, I am certain you and  
others would refuse to abide by it, coming up with some platitude- 
filled rationalization.  And there is nothing short of US government  
intervention that could actually be guaranteed to do anything about  

Now that's irony.


More information about the dns-operations mailing list