Hi John, Thanks for the response. On Apr 21, 2025, at 1:41 PM, John Heidemann <johnh@isi.edu> wrote:
David, thanks for the feedback. I suspect it will prompt multiple RSOs to review and update their reporting. I've already seen some changes on https://root-servers.org/rssac001/
Yep. Good to see the additional participation.
There is a REAL TRADE-OFF between how many operational details RSOs provide to help the community understand its diversity and robustness, and how much those details help potential adversaries.
To be honest, I was a bit surprised at the level of info that was provided in the report. For example, for the purposes of evaluating diversity, while it is obviously important that it is noted that 3 different OSes are being used, what those specific OSes are would seem to me to be only of limited value and would provide hints to potential attackers. Of course, the counter argument is that in an Internet full of continuous background radiation of automated anonymous probes of pretty much every CVE ever published, not publishing OSes is just a form of attempted security by obscurity but that’s a separate issue. Speaking personally, I’d think it’d be sufficient to say something like: OS A: 15% of all root server instances OS B: 47% of all root server instances OS C: 33% of all root server instances Other: 15% of all root server instances I.e., there’s no need to get into what OS A, B, C, and “other" are in a public report (although they could be mentioned without the mapping to A, B, C), just that those OSes are different (perhaps in the future, a report to the RSS Governance Structure could provide a higher level of detail if there’s interest?)
I hope the community will recognize the _RSS 2025 Technical Diversity Report_ as progress, even if it's not everything you hope for.
I agree it is a good start — apologies if my input was taken to suggest otherwise.
And, just speaking personally, for me, the statement that a diversity report is useless without a distribution feels a bit extreme. While knowing 48.4% of servers run bind-9.18.36 might answer some very specific questions, such a factoid would be out of date tomorrow. But to try and directly address your question: If one wanted a bounds on the distribution, it seems fair to assume that at least one RSO operators one of each of the configurations given in the report.
Personally, I’d think it would be of significant interest to most if 48.4% of root server instances one day stopped responding to queries due to (say) a packet of death. The point I was trying to make is that without distribution information, it is difficult if not impossible for “interested members of the community” to gain assurance that they aren’t at risk of delay/loss of root resolution due to a PoD (or whatever), which is what I assume is the point of the diversity report. Saying “at least one RSO” is running X (which presumably isn’t vulnerable to the PoD) doesn’t provide that assurance since it _could_ mean exactly one RSO has a box running X in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard”. But perhaps I have the wrong assumption about the intent of the diversity report. Regards, -drc