FW: [ALAC] Some information on the rogue root server instance in China
Forwarded on behalf of Ron. ----- Original Message ----- From: "Patrick Vande Walle" <patrick@vande-walle.eu> To: <dns-security-wg@atlarge-lists.icann.org>; "ALAC Worldwide" <alac@atlarge-lists.icann.org> Sent: Sunday, March 28, 2010 9:39 AM Subject: [ALAC] Some information on the rogue root server instance in China
http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-f...
To summarize: last week, an anycast instance of the I root server stated exhibiting a strange behaviour. Some replies appeared to be spoofed.
Autonomica, the Swedish company managing the I root, claims their anycast instance in China is identical to the other instances they have around the world. In other words, they serve the same root zone, not something that would be "adapted" to the Chinese Internet regulations. CNNIC, on their side, say they are just supplying the power and the bandwidth.
There is a lively discussion on the origin of this malfunction on the SSAC list. Opinions differ, but the research is going on. However, some raised the issue of the accountability of root server operators, and the fact that the absence of a contractual framework (minus L-root) between them and ICANN means that no-one is able to formally complain and seek redress. It is all a question of good faith and willingness on the side of the rootops.
I think indeed that ICANN will have to think about a contractual framework with the root zone operators in the future, along the lines of the registry agreements. After all, the Internet users deserve the same level of service from the root that they get from gTLD operators. I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there should be a mechanism to replace a root operator that fails for whatever reason.
-- Patrick Vande Walle Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu Facebook: http://facebook.vande-walle.eu _______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: http://st.icann.org/alac
------ End of Forwarded Message
Thanks Gabi for this message. I followed this discussion with interest since we are a customer of Autonomica's anycast services. It think it is quite obvious that what happened in China, Autonomica has no role in it. Autonomica has just set up one mirror site of the root in China and taken care of it as well as they could. It is a third unknown party (I'm NOT talking about CNNIC) who has manipulated the DNS traffic. In my opinion, it is a good initiative to have contracts (with SLAs) between ICANN and the root operators, but such contracts won't have any effect preventing this kind of things to happen. Juhani -----Original Message----- From: owner-ccnso-council@icann.org [mailto:owner-ccnso-council@icann.org] On Behalf Of Gabriella Schittek Sent: 28. maaliskuuta 2010 21:17 To: ccNSO Council Subject: [ccnso-council] FW: [ALAC] Some information on the rogue root server instance in China Forwarded on behalf of Ron. ----- Original Message ----- From: "Patrick Vande Walle" <patrick@vande-walle.eu> To: <dns-security-wg@atlarge-lists.icann.org>; "ALAC Worldwide" <alac@atlarge-lists.icann.org> Sent: Sunday, March 28, 2010 9:39 AM Subject: [ALAC] Some information on the rogue root server instance in China
http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-some ones-fudging-root-zone-records/1269642342
To summarize: last week, an anycast instance of the I root server stated exhibiting a strange behaviour. Some replies appeared to be
spoofed.
Autonomica, the Swedish company managing the I root, claims their anycast instance in China is identical to the other instances they have around the world. In other words, they serve the same root zone, not something that would be "adapted" to the Chinese Internet regulations. CNNIC, on their side, say they are just supplying the
power and the bandwidth.
There is a lively discussion on the origin of this malfunction on the SSAC list. Opinions differ, but the research is going on. However, some raised the issue of the accountability of root server operators, and the fact that the absence of a contractual framework (minus L-root) between them and ICANN means that no-one is able to formally
complain and seek redress.
It is all a question of good faith and willingness on the side of the rootops.
I think indeed that ICANN will have to think about a contractual framework with the root zone operators in the future, along the lines of the registry agreements. After all, the Internet users deserve the same level of service from the root that they get from gTLD operators.
I am not saying that the rootops have done a bad job. Quite the contrary. They have done an outstanding volunteer job. However, there
should be a mechanism to replace a root operator that fails for whatever reason.
-- Patrick Vande Walle Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu Facebook: http://facebook.vande-walle.eu _______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.ica nn.org
At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: http://st.icann.org/alac
------ End of Forwarded Message
participants (2)
-
Gabriella Schittek -
Juselius Juhani