Re: VeriSign Moves DNS Server To Boost Security
Thus spake Gil Cohen [EMAIL PROTECTED] In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. Maybe I'm missing something... J's virtual location aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed? S
Re: VeriSign Moves DNS Server To Boost Security
Stephen Sprunk wrote: Thus spake Gil Cohen [EMAIL PROTECTED] In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. Maybe I'm missing something... J's virtual location aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed? And how does it help anybody if a root server's address is made secret? Wouldn't an off-line backup be just as useful and cheaper to implement? -- David
Re: VeriSign Moves DNS Server To Boost Security
On Mon, 11 Nov 2002 09:39:25 CST, Stephen Sprunk [EMAIL PROTECTED] said: Maybe I'm missing something... J's virtual location aka IP address is now available from every DNS server in the world, not to mention the public announcement that VeriSign made to various lists. How is this undisclosed? You know that, and think it's silly. I know that, and think it's silly. But it keeps the CEOs from getting distracted from their management by buzzword path. Something Is Being Done, and It's All OK Now. msg06587/pgp0.pgp Description: PGP signature
Re: VeriSign Moves DNS Server To Boost Security
It's kept under Vice-President Cheney's bed. You can't get more undisclosed than that. - Daniel Golding On Fri, 8 Nov 2002, Gil Cohen wrote: In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. http://story.news.yahoo.com/news?tmpl=story2cid=620ncid=738e=9u=/nf/2002 1108/bs_nf/19918 Funny read. Signed, Gil
Re: VeriSign Moves DNS Server To Boost Security
On Fri, 8 Nov 2002, Daniel Golding wrote: It's kept under Vice-President Cheney's bed. You can't get more undisclosed than that. The Verisign delima, do they bus the politicians to undisclosed location A to have their pictures taken with a root server; or to undisclosed location J for their photo-op? From tha archives, J was only supposed to be at NSI for a temporary period before moving to a different location (and organization), much like L and M moved to LINX and WIDE after a brief period at ISI and NSI. The real question isn't why J has moved a few miles to a different Verisign building, but where in the world should J move? From my limited understanding of the data, Hong Kong appears to be the most technically sound location for a new root server. Asia-Pacific rim is heavly dependant on M now. Yes, a lot of A-P traffic is exchanged on the west coast of the US. But HK is probably the second most central telcomm location for the regiona. South America, Africa, Russia, India have lots of people, but aren't very central network-wise. Root servers need to be able to serve the world, not just a local region or country.
Re: VeriSign Moves DNS Server To Boost Security
The real question isn't why J has moved a few miles to a different Verisign building, but where in the world should J move? i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while. randy
Re: VeriSign Moves DNS Server To Boost Security
Would that be in front of, or behind Big Red (firewall)? Seriously...would their policies affect the integrity of the root zone server files? At 15:43 -0800 11/8/02, Randy Bush wrote: The real question isn't why J has moved a few miles to a different Verisign building, but where in the world should J move? i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while. randy -- David Diaz [EMAIL PROTECTED] [Email] [EMAIL PROTECTED] [Pager] Smotons (Smart Photons) trump dumb photons
RE: VeriSign Moves DNS Server To Boost Security
The real question isn't why J has moved a few miles to a different Verisign building, but where in the world should J move? i have been pushing bejing for a few years. except it would be nice to have built some operational understanding and trust with those folk first, perhaps by asking them to secondary arpa for a while. China! I agree. Bejing or Hong Kong is a toss-up.
Re: VeriSign Moves DNS Server To Boost Security
From tha archives, J was only supposed to be at NSI for a temporary period before moving to a different location (and organization), much like L and M moved to LINX and WIDE after a brief period at ISI and NSI. The real question isn't why J has moved a few miles to a different Verisign building, but where in the world should J move? From my limited understanding of the data, Hong Kong appears to be the most technically sound location for a new root server. Asia-Pacific rim is heavly dependant on M now. Yes, a lot of A-P traffic is exchanged on the west coast of the US. But HK is probably the second most central telcomm location for the regiona. South America, Africa, Russia, India have lots of people, but aren't very central network-wise. Root servers need to be able to serve the world, not just a local region or country. patience grasshopper. :) pushing J to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN. --bill
RE: VeriSign Moves DNS Server To Boost Security
It won't be long till most of us on NANOG will know where geographically it's located. The network community is not that big, and thanks to the various trade related conferences fairly closely knit, that if you really wanted to know, someone at verisign will tell you which building it's in. Secrecy of where it's located isn't really going to stop the ddos attacks, most packeters know how to do a traceroute, and slam the routers a few hops in front of host. And it's kind of hard to run into a data center with a bucket full of water anyways, even if you knew which data center and rack it was located in. Sameer -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu]On Behalf Of Gil Cohen Sent: Friday, November 08, 2002 2:09 PM To: NANOG Subject: VeriSign Moves DNS Server To Boost Security In an effort to protect the Internet from future hacking attacks, VeriSign (Nasdaq: VRSN - news) has moved one of the Net's root servers to an undisclosed physical and virtual location. http://story.news.yahoo.com/news?tmpl=story2cid=620ncid=738e=9; u=/nf/2002 1108/bs_nf/19918 Funny read. Signed, Gil
Re: VeriSign Moves DNS Server To Boost Security
On Fri, 8 Nov 2002, David Diaz wrote: : :Would that be in front of, or behind Big Red (firewall)? : :Seriously...would their policies affect the integrity of the root :zone server files? Rhetorical question? :) Obviously, such a move would be unrealistic if subjective filtering could affect the viability of J. I'm sure the powers that be in that region would understand that. I'm partial to Randy's thoughts regarding trust; though, Hong Kong would seem, for many (albeit political) reasons to be a better/simpler choice. IMHO, of course. : :At 15:43 -0800 11/8/02, Randy Bush wrote: : The real question isn't why J has moved a few miles to a different : Verisign building, but where in the world should J move? : :i have been pushing bejing for a few years. except it would be :nice to have built some operational understanding and trust with :those folk first, perhaps by asking them to secondary arpa for a :while. : :randy
Re: VeriSign Moves DNS Server To Boost Security
Perhaps we shouldn't be saying post-ICANN as we're in ICANN age now, if they were to be gone, it then be post-ICANN and things might even move faster (or not at all :) ... But seriously are there any volunteers there to run root name servers in Europe and Asia or are people now expecting to get paid to it through ICANN contract. We do need root name server for every continent and perhaps something like official mirror should be considered where somebody would run nameserver with complete mirror of all zones that root name server would have but it would not be considered official root name server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there? patience grasshopper. :) pushing J to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN. --bill
Re: VeriSign Moves DNS Server To Boost Security
On Fri, 08 Nov 2002 18:44:09 PST, [EMAIL PROTECTED] said: server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there? Given the numbers presented on http://www.nanog.org/mtg-0210/wessels.html, I suspect that the actual location won't matter. As both Wessels and Vixie have demonstrated, if we wanted to cut the load 30% real fast, we'd implement 1918 filtering. We wanted to cut the load 98%, we'd fix all the OTHER stupidity. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg06568/pgp0.pgp Description: PGP signature
Re: VeriSign Moves DNS Server To Boost Security
But seriously are there any volunteers there to run root name servers in Europe and Asia or are people now expecting to get paid to it through ICANN contract. last time i was offically detailed to care about such things the volunteer list was over 100. (circa 1998). can't say who would want to get paid for it. We do need root name server for every continent and perhaps something like official mirror should be considered where somebody would run nameserver with complete mirror of all zones that root name server would have but it would not be considered official root name server (but ISPs in its region would know about and us it). Are other regions ever considered something like this to ease load on current root servers or perhaps as a first step to having root server there? why on every continent? this way lies madness. look to topology. and your mirroring proposal (see otha-sans internet-draft) has some serious flaws wrt data integrity that really need to be addressed first. that code is slowly coming. patience grasshopper. :) pushing J to a distinctly different broadcast domain is the first step to pushing that instance elsewhere. pre-ICANN, things moved fairly quickly as compared to post-ICANN. --bill
