[81977] in North American Network Operators' Group
Re: The whole alternate-root ${STATE}horse (was Re:
daemon@ATHENA.MIT.EDU (Brad Knowles)
Fri Jul 8 15:27:57 2005
In-Reply-To: <20050705094349.B20852@cgi.jachomes.com>
Date: Tue, 5 Jul 2005 20:38:41 +0200
To: NANOG <nanog@merit.edu>
From: Brad Knowles <brad@stop.mail-abuse.org>
Errors-To: owner-nanog@merit.edu
At 9:43 AM -0400 2005-07-05, Jay R. Ashworth wrote:
>> Moreover, most of them are unlikely to be
>> willing to just live with the problem, if no other suitable technical
>> solution can be found. Instead, they'll believe the sales pitch of
>> someone else who says that they can fix the problem, even if that's
>> not technically possible.
>
> Well they might. Well, actually, poorly they might.
>
> But that argument seems to play right *to* the alt-root operators,
> since the "fix" is to switch your customer resolvers to point to one of
> them.
I disagree. The problem is that there are too many alternatives.
> (Assuming, of course, they stay supersets of ICANN, and don't
> get at cross-purposes with one another.)
The problem is that they are pretty much guaranteed to get at
cross-purposes.
> In fact, merging them at your
> resolvers might be the best solution.
I don't think that's really practical. I'm sorry, I just don't
trust them to write a resolver that's going to get included in libc
(or wherever), and for which the world is going to be dependant.
The alternative roots will always be marginal, at best. The
problem is that while they are marginal, they can still create
serious problems for the rest of us.
> But Steve's approach doesn't seem to *me* to play in that direction.
> Am I wrong?
I'm not sure I understand which Steve you're talking about. Do
you mean Steve Gibbard, in his post dated Sun, 3 Jul 2005 22:20:13
-0700 (PDT)? If so, then each country running their own alternative
root won't solve the problem of data leaking through the edges.
People will always be able to access data by pure IP address, or
choosing to use the real root servers. Push come to shove, and the
real root servers could be proxied through other systems via other
methods.
The reverse problem is more difficult to deal with -- that of
people wanting to access Chinese (or whatever) sites that can only be
found in the Chinese-owned alternative root.
--
Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
