|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical DNS issues various
> From: "Greg Pendergrass" <[email protected]> > Subject: RE: WP: Attack On Internet Called Largest Ever > > Future attacks will be stronger and more > organized. So how do we protect the root servers from future attack? As has been discussed here previously (see archive) it is unclear that the root DNS servers are particularly vulnerable, so further effort specifically defending them may be misplaced, compared to efforts to address DDoS in general, or efforts to fortify other parts of the Internet infrastructure. > From: "Joe Patterson" <[email protected]> > > would it cause problems, and more importantly would it solve potential > problems, to put some/most/all of the root servers (and maybe gtld-servers > too) into an AS112-like config? Last time it was discussed I thought that the provisions already in the DNS RFC's to allow zone transfer for "." to recursive servers is a neat solution for the root zone. It can be implemented with existing technology, no new servers/routers needed. Bypasses the 13 root server limit. Reduces load on the current root servers. Increases performance when unknown domains are queried. Even if all addresses where the zone was available were public, a persistent DDoS would merely deny the addition of new TLD's, or readdressing of all DNS servers for a TLD, both occur rarely. The gtld-servers, and servers for other key zones, maybe more painful to do without, harder to replace, or less well configured and/or protected than the root servers. > From: "Stephen J. Wilcox" <[email protected]> > Subject: Re: Testing root server down code > > Microsoft DNS has a poor response and can spin out of control with all root > servers available.. Unfair, Microsoft DNS has a good response and peak throughput when it isn't spining out of control ;-) > From: "Martin J. Levy" <[email protected]> > Subject: Re: Testing root server down code > >2. Encourage greater software diversity for DNS sever systems. Currently most DNS servers are based on the BIND Berkeley Internet Name Domain code base. There is also a Microsoft Windows version of DNS that very few groups currently run. > >3. ... > > Hence... At least in the US (and I can't say for the rest of the world), the government have been recommended to consider Microsoft's version of DNS. Others might interpret that as not to run BIND, or Microsoft DNS ;-) Surely that should be "code bases", plural, as BIND 9 is a new code base? So that is BIND 4, BIND 8, BIND 9, MS DNS, UltraDNS and DJBDNS in fairly widespread use (and the one the root servers use if they don't use BIND), or supporting critical domains, but we still need more diversity?! I think promoting correct configuration, and in-balliwick delegation, would be more useful. Now how do I set follow-ups to comp.protocols.tcp-ip.domains ?
|