On Thu, Apr 1, 2010 at 6:34 AM, Joe Baptista <baptista@publicroot.org> wrote:
On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this.
I totally understand ICANNs role, it seems u do not.
First of all I have no idea if it is a MitM attack.
IF ICANN serves the zone to L and L serves the zone as they say they do (and knowing them personally, I take them at their word) then what else would it be?? Clearly someone was rewriting DNS replies from L node in Beijing. a "misconfigured gateway" is a nonsensical notion. That implies intend. So
far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN.
I contend that it is not ICANN. L has made their claim, CNNIC has made theirs (they aren't responsible for the rewriting). It seems you want to make ICANN responsible for everything that ppl do with the DNS. It's just no so.
Over the years I have seen a lot of bullshit from ICANN about security and stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA.
We have seen how much luck you have had with that over the years.
I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not.
ICANN also needs to examine if operating root servers censored countries - i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make.
ICANN does not have this level of control over rootops, not should they IMHO.
The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people then there are DNSSEC domains in the wild.
http://opendns.jobscore.com/job_seeker/jobs/job_posting?job_id=b7pSvUn3ir37a... I'm off on safari for Easter, so fire back with all the nonsense in your arsenal, I won't be replying. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel