Some information on the rogue root server instance in China
http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-f... To summarize: last week, an anycast instance of the I root server stated exhibiting a strange behaviour. Some replies appeared to be spoofed. Autonomica, the Swedish company managing the I root, claims their anycast instance in China is identical to the other instances they have around the world. In other words, they serve the same root zone, not something that would be "adapted" to the Chinese Internet regulations. CNNIC, on their side, say they are just supplying the power and the bandwidth. There is a lively discussion on the origin of this malfunction on the SSAC list. Opinions differ, but the research is going on. However, some raised the issue of the accountability of root server operators, and the fact that the absence of a contractual framework (minus L-root) between them and ICANN means that no-one is able to formally complain and seek redress. It is all a question of good faith and willingness on the side of the rootops. I think indeed that ICANN will have to think about a contractual framework with the root zone operators in the future, along the lines of the registry agreements. After all, the Internet users deserve the same level of service from the root that they get from gTLD operators. I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there should be a mechanism to replace a root operator that fails for whatever reason. -- Patrick Vande Walle Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu Facebook: http://facebook.vande-walle.eu
Thanks for this Patrick as the SSAC Liaison, do you want to add this to the Agenda for the April ALAC Meeting? Or have the dns-sec-wg prep a draft on the matter to formally bring to our attention? Let me know... Please keep us posted... Cheryl Langdon-Orr (CLO) On 29 March 2010 01:39, Patrick Vande Walle <patrick@vande-walle.eu> wrote:
http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-f...
To summarize: last week, an anycast instance of the I root server stated exhibiting a strange behaviour. Some replies appeared to be spoofed.
Autonomica, the Swedish company managing the I root, claims their anycast instance in China is identical to the other instances they have around the world. In other words, they serve the same root zone, not something that would be "adapted" to the Chinese Internet regulations. CNNIC, on their side, say they are just supplying the power and the bandwidth.
There is a lively discussion on the origin of this malfunction on the SSAC list. Opinions differ, but the research is going on. However, some raised the issue of the accountability of root server operators, and the fact that the absence of a contractual framework (minus L-root) between them and ICANN means that no-one is able to formally complain and seek redress. It is all a question of good faith and willingness on the side of the rootops.
I think indeed that ICANN will have to think about a contractual framework with the root zone operators in the future, along the lines of the registry agreements. After all, the Internet users deserve the same level of service from the root that they get from gTLD operators. I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there should be a mechanism to replace a root operator that fails for whatever reason.
-- Patrick Vande Walle Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu Facebook: http://facebook.vande-walle.eu _______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: http://st.icann.org/alac
Patrick, thanks for this. Comment below:
http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-f...
To summarize: last week, an anycast instance of the I root server stated exhibiting a strange behaviour. Some replies appeared to be spoofed.
Autonomica, the Swedish company managing the I root, claims their anycast instance in China is identical to the other instances they have around the world. In other words, they serve the same root zone, not something that would be "adapted" to the Chinese Internet regulations. CNNIC, on their side, say they are just supplying the power and the bandwidth.
There is a lively discussion on the origin of this malfunction on the SSAC list. Opinions differ, but the research is going on. However, some raised the issue of the accountability of root server operators, and the fact that the absence of a contractual framework (minus L-root) between them and ICANN means that no-one is able to formally complain and seek redress. It is all a question of good faith and willingness on the side of the rootops.
I think indeed that ICANN will have to think about a contractual framework with the root zone operators in the future, along the lines of the registry agreements.
ICANN "Coordinates the operation and evolution of the DNS root name server system". To my mind any contractual framework along the lines of registry agreements would be a large bit of mission creep. Why should the agreement be with ICANN rather than between the root server operators themselves to operate under/meet certain standards and criteria? The ICANN community should have a role in advising on any such framework, but I don't think ICANN should run it. The root operators are presented as independent entities and that's been an important part of the global governance discussion.
After all, the Internet users deserve the same level of service from the root that they get from gTLD operators. I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there should be a mechanism to replace a root operator that fails for whatever reason.
Yes, but should (could) ICANN take on that role? Would we trust it? Adam
-- Patrick Vande Walle Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu Facebook: http://facebook.vande-walle.eu _______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: http://st.icann.org/alac
An update on my previous message and reply to Adam: It seems the Autonomica-controlled instance of the root in China was serving the IANA zone untouched, but that the reply packets were altered along the way, most probably by the Great Firewall of China. This should not have leaked outside the country, but somehow did anyway. Hence, the root operator is not at fault here. On Mon, 29 Mar 2010 12:56:03 +0900, Adam Peake <ajp@glocom.ac.jp> wrote:
ICANN "Coordinates the operation and evolution of the DNS root name server system". To my mind any contractual framework along the lines of registry agreements would be a large bit of mission creep.
Why should the agreement be with ICANN rather than between the root server operators themselves to operate under/meet certain standards and criteria? The ICANN community should have a role in advising on any such framework, but I don't think ICANN should run it. The root operators are presented as independent entities and that's been an important part of the global governance discussion.
I am well aware that the independence of the rootops has long been presented as a guarantee that they can resist to pressure to censor the root zone. However, I still question the real independence they have, given 3 are direct USG agencies (NASA, 2 US Army sites) and 4 have contracts with, or are partially funded by USG money (VeriSign, ICANN, UMD, USC-ISI).Add to that the IANA contract (USG/ICANN) and the root zone Managemnt contract (USG/VRSGN). IMHO, there is quite some hypocrisy in this so-called independence. I do not see how a framework between equals is going to work. Who will decide when to terminate a root zone operator in case of misbehaviour or underperformance ? Who will select a replacement operator ? Who will enforce Service Level Agreements on these operators ? On a practical matter: say I am a large company and my e-commerce web site's domain name did not resolve for several minutes because of the unavailability of root zone. Who should I take to court ? The rootops could say they provide a free service on a best effort basis. That was fine as long as the Internet was an academic network. Now that it can make or break a business, I don't think "best effort" is good enough.
After all, the Internet users deserve the same level of service from the root that they get from gTLD operators. I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there should be a mechanism to replace a root operator that fails for whatever reason.
Yes, but should (could) ICANN take on that role? Would we trust it?
Right now, for lack of a better forum, ICANN seems to be the only place to address that. Patrick
On 29 March 2010 06:32, Patrick Vande Walle <patrick@vande-walle.eu> wrote:
On Mon, 29 Mar 2010 12:56:03 +0900, Adam Peake <ajp@glocom.ac.jp> wrote:
[ on creating a formalized, accountable root zone]
Yes, but should (could) ICANN take on that role? Would we trust it?
Right now, for lack of a better forum, ICANN seems to be the only place to address that.
You're both right. ICANN is by far the most logically suitable steward. But there is legitimate concern about ICANN's competence at doing so, given its track record at handling its existing mandate. - Evan
participants (4)
-
Adam Peake -
Cheryl Langdon-Orr -
Evan Leibovitch -
Patrick Vande Walle