Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Friday, November 14, 2014, Wolfgang Nagele (AusRegistry) < wolfgang.nag...@ausregistry.com.au> wrote: > Hi, > > AS112 absolutely proves that unowned anycast can work at scale; that's > not > my concern. But if my neighbor announces a route to the AS112 addresses, > and then misconfigures a

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

In message <000e7a4f-6391-4842-b2ed-2a28b8d3e...@virtualized.org>, David Conrad writes: > > Mark, > > On Nov 14, 2014, at 11:19 AM, Mark Andrews wrote: > >> I believe a better (still not perfect) analogy would be 6to4 > > > > 6to4 has asymetric routing 99.9% of the time, > > 99.9% of all sta

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

One of my biggest concerns about the current proposal is that it seems to suggest that AS112 works. actually, the proposal doesn't mention AS112, but my discussion of the proposal here has mentioned AS112. Correct. I would like to find some definition of “works” and how we come to that conclusi

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

i think we're about to enter a non-discuss period for scalingroot-XX, yet this message touches other topics. > Wolfgang Nagele (AusRegistry) > Friday, November 14, 2014 1:48 PM > Hi, > > One of my biggest concerns about the current proposal is that it se

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Mark, On Nov 14, 2014, at 11:19 AM, Mark Andrews wrote: >> I believe a better (still not perfect) analogy would be 6to4 > > 6to4 has asymetric routing 99.9% of the time, 99.9% of all statistics are made up. > encapsulating IPv4 address mismatch, etc. which are 6to4 specific issues. You ap

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> David Conrad > Friday, November 14, 2014 1:10 PM > Hi, > > I think AS112 is a red herring: it doesn't prove anything that wasn't > already known ages ago (i.e., BGP works). > > I believe a better (still not perfect) analogy would be 6to4 and I'd > refer to the disc

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Hi, AS112 absolutely proves that unowned anycast can work at scale; that's not my concern. But if my neighbor announces a route to the AS112 addresses, and then misconfigures a server, fills it with lies, or logs all my queries, the practical effect on me is pretty small: the worst case scenario

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

In message <19b42657-aed1-440e-8300-996915a28...@virtualized.org>, David Conrad writes: > Hi, > > On Nov 14, 2014, at 8:33 AM, Evan Hunt wrote: > > AS112 absolutely proves that unowned anycast can work at scale; > > I think AS112 is a red herring: it doesn't prove anything that wasn't > already

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Hi, On Nov 14, 2014, at 8:33 AM, Evan Hunt wrote: > AS112 absolutely proves that unowned anycast can work at scale; I think AS112 is a red herring: it doesn't prove anything that wasn't already known ages ago (i.e., BGP works). I believe a better (still not perfect) analogy would be 6to4 and

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Evan Hunt > Friday, November 14, 2014 10:33 AM > > ... > > I believe there's more scope for an incompetent or malicious root server > operator to block, surveil, or deceive me, and while there are defenses I > can deploy against some misbehaviors, I think we need to be cau

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Tue, Nov 11, 2014 at 10:26:22PM -0800, Paul Vixie wrote: > i don't know how to answer your discomfort. as you know i was > responsible for f-root's anycast growth for many years; as you may not > know i was responsible for as112's early growth after a bill manning > experiment succeeded. AS112

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Evan Hunt > Tuesday, November 11, 2014 4:11 PM > On Tue, Nov 11, 2014 at 06:14:44PM -0500, Andrew Sullivan wrote: > ... For the record, I'm not comfortable with the Lee/Vixie proposal > that new root server addresses be globally routable and anycasted by > anyone who wants

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Andrew Sullivan > Tuesday, November 11, 2014 3:14 PM > On Mon, Nov 10, 2014 at 01:34:05PM -0800, Paul Vixie wrote: > >> ... any RDNS operator who receives advice on how to change their root >> hints to use the unowned-anycast root server addresses will also be t

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Wed, Nov 12, 2014 at 12:11:03AM +, Evan Hunt wrote: > Because that's not necessary to address the technical issue this proposal > is intended to address, and t would be undesirable for a host of other > reasons, so, you know, let's not do that. It would be undesirable to you. It is not pl

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Tue, Nov 11, 2014 at 06:14:44PM -0500, Andrew Sullivan wrote: > But my point is that it's a different zone. Once you allow for the > possibility that an apex record could change in this zone, why not > change other records too? Because that's not necessary to address the technical issue this p

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Mon, Nov 10, 2014 at 01:34:05PM -0800, Paul Vixie wrote: > yes. parts of the 'net can be made root-serverless by accident this way, Ok, good, I didn't misunderstand. > > And isn't there some danger that this "parallel" root becomes an > > attractive target for those who want things to be dif

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Moin! > On 10 Nov 2014, at 20:11, Brian Dickson wrote: >> With DNSSEC any modification (malicious or not) can be detected so the >> actual packet origin doesn't matter. The data origin/authenticity is what we >> care about. >> > This is true ONLY for DNSSEC-protected data, and then only to the

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

George Michaelson wrote: > Given the behaviour of unknown algorithm, if the anycast node signs with an > algoritm they can guarantee you don't understand, how did you know DNSSEC > was turned off silently? Because your trust anchor says the root zone MUST be signed with a particular key. Tony.

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

John R Levine wrote: > > > This happens in China (on CERNET I believe): there are a set of root > > > mirrors that hijack most (but not all) of the root IPs. As far as we > > > can tell, the servers are legitimate, returning the proper responses, > > > except that the mirror servers don't suppor

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Mon, Nov 10, 2014 at 7:16 PM, Ralf Weber wrote: > Moin! > > > On 10 Nov 2014, at 16:49, Brian Dickson > wrote: > > > > The addresses associated with those names ( [a-m].root-servers.net ) > are replaceable in a way which is undetectable and unprotected by DNSSEC. > > > > > With DNSSEC any mod

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Moin! > On 10 Nov 2014, at 16:49, Brian Dickson wrote: > > The addresses associated with those names ( [a-m].root-servers.net ) are > replaceable in a way which is undetectable and unprotected by DNSSEC. > > Thus, there is no need to hijack BGP routes. There is not even a requirement > that 1

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Paul Vixie wrote: > because right now the people who do this have to pirate the address space > of root name servers, and they have to do it for all of our addresses. > under this proposal, there would be no piracy required, and there would > only be two address blocks per stack (two for v4, two f

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> George Michaelson > Monday, November 10, 2014 1:02 PM > Given the behaviour of unknown algorithm, if the anycast node signs > with an algoritm they can guarantee you don't understand, how did you > know DNSSEC was turned off silently? > > ie, downgrade silent response

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Andrew Sullivan > Sunday, November 09, 2014 3:58 PM > Hi, > > > I didn't understand that, either; I thought what John said was what > you intended. > > Doesn't this suffer in terms of robustness? yes. parts of the 'net can be made root-serverless by accident th

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> John R Levine > Sunday, November 09, 2014 3:50 PM > > ... > > It's still not clear to me what the practical advantage of this is > over my hack of networks inserting their own routes for one of the > existing servers, other than perhaps that it's easier to diagnose from

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Ralf Weber > Sunday, November 09, 2014 3:30 PM > Moin! > > They can do this with today with the current root zone. AXFR it from a > root server, serve it and point your root hints to it. Why do you want > to complicate this? because right now the people who do this have

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Given the behaviour of unknown algorithm, if the anycast node signs with an algoritm they can guarantee you don't understand, how did you know DNSSEC was turned off silently? ie, downgrade silent response means that an anycast node can mask changes to the root, because you won't know DNSSEC was di

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

This happens in China (on CERNET I believe): there are a set of root mirrors that hijack most (but not all) of the root IPs. As far as we can tell, the servers are legitimate, returning the proper responses, except that the mirror servers don't support DNSSEC. Those are unusual meanings for "le

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Nicholas Weaver wrote: > > This happens in China (on CERNET I believe): there are a set of root > mirrors that hijack most (but not all) of the root IPs. As far as we > can tell, the servers are legitimate, returning the proper responses, > except that the mirror servers don't support DNSSEC. Th

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> On Nov 10, 2014, at 12:13 AM, John Levine wrote: > >> And isn't there some danger that this "parallel" root becomes an >> attractive target for those who want things to be different than >> what's in the "official" root? That is, in effect, isn't this a plain >> old alternative root? > > I w

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

>And isn't there some danger that this "parallel" root becomes an >attractive target for those who want things to be different than >what's in the "official" root? That is, in effect, isn't this a plain >old alternative root? I would assume the plan is that the clients use DNSSEC to validate the

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Hi, On Sun, Nov 09, 2014 at 03:10:31PM -0800, Paul Vixie wrote: > we intend that iana craft a second root zone, published in parallel with > the existing one, each being synchronized in terms of tld content, and > each signed with the then-current iana signing key. > > the second one will only h

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

the second one will only have two NS RR's at its apex, not thirteen. Oh, OK, rereading the Circle ID piece I see that's what you mean, but it's not super clear. It's still not clear to me what the practical advantage of this is over my hack of networks inserting their own routes for one of t

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Moin! > On 09 Nov 2014, at 15:10, Paul Vixie wrote: > we intend that iana craft a second root zone, published in parallel with the > existing one, each being synchronized in terms of tld content, and each > signed with the then-current iana signing key. > > the second one will only have two NS

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> John Levine > Sunday, November 09, 2014 2:57 PM > > As I understand it, the proposal is to add another root server, the > "X" root, with A and records pointing at addresses that will > never be globally routed, with an invitation to networks of whatever > size to p

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

>(http://www.circleid.com/posts/20141107_secure_unowned_hierarchical_anycast_root_name_service_and_apologia/) As I understand it, the proposal is to add another root server, the "X" root, with A and records pointing at addresses that will never be globally routed, with an invitation to networ

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Suzanne Woolf > Saturday, November 08, 2014 7:12 AM > Paul, > > Thanks for the update. > > Do you expect to ask the WG to adopt the revised draft as a WG work item? yes, definitely. but not in hawaii and not on the basis of the -00 revision. -- Paul Vixie

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Paul, Thanks for the update. Do you expect to ask the WG to adopt the revised draft as a WG work item? On Nov 7, 2014, at 4:19 PM, Paul Vixie wrote: > because of excessive travel, i did not have a chance to help update > draft-lee-dnsop-scalingroot before the cutoff for ietf hawaii. here's > m

[DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

because of excessive travel, i did not have a chance to help update draft-lee-dnsop-scalingroot before the cutoff for ietf hawaii. here's more background on that draft, sent first to my blog because i've heard from so many policy makers about my radical mention of adding some root name servers. sca