[145257] in North American Network Operators' Group
Re: F.ROOT-SERVERS.NET moved to Beijing?
daemon@ATHENA.MIT.EDU (Todd Underwood)
Sun Oct 2 18:09:08 2011
In-Reply-To: <240436.1317592969@turing-police.cc.vt.edu>
From: Todd Underwood <toddunder@gmail.com>
Date: Sun, 2 Oct 2011 18:07:14 -0400
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
valdis, all,
On Sun, Oct 2, 2011 at 6:02 PM, <Valdis.Kletnieks@vt.edu> wrote:
> On Sun, 02 Oct 2011 17:30:37 EDT, Todd Underwood said:
>
>> 2) can any root server operator who serves data inside of china verify
>> that the data that they serve have not been rewritten by the great
>> firewall?
>
> DNSSEC should help this issue dramatically. =C2=A0This however could be p=
roblematic
> if the Chinese govt (or any repressive regime) decides to ban the use of
> technology that allows a user to identify when they're being repressed.
sure, but DNSSEC is still basically unused.
>
>> 3) does ISC (or <Insert Root Operator Here>) have a plan for
>> monitoring route distribution to ensure that this doesn't happen again
>> (without prompt detection and mitigation)?
>
> Leaked routes happen =C2=A0External monitors and looking glasses and filt=
ers and
> communities are all things we should probably be doing more of, in order =
to
> minimize routing bogosity. =C2=A0But when all is said and done, there's n=
o real way
> to have a dynamic routing protocol like BGP and at the same time *guarant=
ee*
> that some chucklehead NOC monkey won't bollix things up. =C2=A0At best, w=
e'll be
> able to get to "less than N brown-paper-bag moments per Tier-[12] per ann=
um" for
> some value of N.
yep. this is a *great* argument *against* running critical
information services on known-malicious network infrastructure, right?
i.e.: if you are sure you're going to be interfered with regularly
and you're positive you can't restrict the damage of that interference
narrowly to the people who were already suffering such interference,
perhaps you should choose to not locate your critical network
information resource on that network.
yes, i'm (again) suggesting that people take seriously not doing root
name service inside of china as long as the great firewall exists.
t
