On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this. First of all I have no idea if it is a MitM attack. That implies intend. So far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN. Over the years I have seen a lot of bullshit from ICANN about security and stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA. I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not. ICANN also needs to examine if operating root servers censored countries - i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make. The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people then there are DNSSEC domains in the wild. Now if ICANN adopted DNScurve I would be impressed. But it won't - too many ICANN cronies have invested in the DNSSEC dead end.
ICANN serves the root zone to the root servers, L has said (read the dns-ops for the latest statement) that they are faithfully serving the ICANN root. Both ICANN and the rootop are doing their job.
Yes - it's doing it's job in serving the root. Thats ICANN's basic contractual obligation to the U.S. government and world in general. But it's failing on the security and stability part of the equation.
Running your own root is no solution to MiM attacks. Your "solution" does not address the current issue.
Yes it does. It takes the MitM out of the middle - at least with respect to root. I personally know my connection experience was not effected. Unless of course the TLDs have gTLD servers also anycasting out of China. Oh dear ;) There I go again - another potential vulnerability exposed in running infrastructure from China. I just hope ICANN and the world finally understands we don't run critical world infrastructure from censored countries. regards joe baptista