Re: [ga] Cyberspace Security and the Root(s)

[Allan Liska <allan@allan.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Hello Jeff,

Friday, September 20, 2002, 1:06:25 AM, you wrote:

JW>   I am afraid I do not understand you label of me and you compulsion
JW> of name calling as relevant to making a good argument that could or should
JW> be considered valid in the slightest way..

I am afraid I don't understand your inability create a coherent
sentence.  I am not name calling, you are a troll, that is a statement
of fact.  There are numerous FAQs demonstrating your troll-like
nature, I was trying to avoid embarrassing you by pointing them out.
>>
>>
>> The situation you describe would mean one of two things:
>>
>> 1. The multiple roots would have to pull their information from the
>> primary root.

JW>   Not correct necessarily.  However your scenario is one of several
JW> that MIGHT be the situation depending on a number of factors.
JW> The pull could be in both directions.  The shared databases could
JW> also link similar but not exact zone files. These are just two of the
JW> number of factors.

Neither of the two scenarios scenarios you describe make sense from a
technical or security standpoint.  If the pull is in both directions,
who is going to maintain authoritative information?  One central
authority still has to be responsible for information integrity.
Similarly, how would you divide zone files between multiple roots?
One root gets a-m and another gets n-z?  What advantage does that
provide?  Are you going to let different roots maintain different
zones with the same information?  That will lead to a less secure DNS
infrastructure because it will lessen the availability of DNS
information.


>>
>>
>> 2. Alternatively, each root would maintain a primary database of their
>> own, which leads to the possibility that one set of root servers would
>> have different information than the other set of root servers.  Which
>> lowers the integrity of the information, and is, by definition,
>> insecure.

JW>   Just because two different databases supposedly containing the same
JW> information or should be, does not necessarily mean that the security
JW> is lessened.  If you really believe such a blanket statement as that
JW> which you made, please explain in detail how or why that is so.
JW> In fact it depends on what the information is, how it is organized to
JW> a degree, and how aged both sets of data are.

The "should be" in your response answers my question for me.  I don't
want my DNS managed by "should be's" I want it managed by operational
fact.  The fact is that the current root infrastructure is secure,
robust, highly available and meticulously maintained.  By allowing
different roots to maintain independent information about various TLDs
there is a very good chance that different roots will have different
information about domains.  If I change the DNS servers for my domain
it is possible some of the roots will pick up the information but not
others, or some will pick it up later than others.  With a single root
system, all the root servers have the same information -- very few
errors occur at the root level.  By opening the root system in the
above manner so different roots have authoritative databases, you have
increased the chance that a DNS error will occur at the root level
without providing any benefit in terms of security of availability.

>>
>>
>> Also, consider that these alternate roots could possibly be maintained
>> by people like yourself who obviously have no concept of the meaning
>> of information security, therefore could be a massive security threat.

JW>   ROFLMAO.  Well I see that again you revert back to a name calling
JW> argument to support your position.  Bad idea.  Competitive root structures
JW> data presently in their zones is more current than the USG/Legacy's is
JW> or has been for sometime now.  That is a FACT.

Saying that you are not well-versed in security matters is not an
insult, again it is a statement of fact.  It is not possible that the
information in the competitive zones is more current than the
information in the root zone, because they have to pull their
information from the root servers...so, by definition, it has to be
older than the information on the root servers.

On the other hand, if you are referring to the information about
non-ICANN approved TLDs.  Who cares?  I can maintain a database of a
few hundred thousand or even a million domains that have almost no
queries very easily.  When one of these alternative roots has the same
amount of traffic as the F root server -- then come talk to me.


JW>   I have several Domain names...  Checkout Whois yourself..

Name one, and I will.



allan
- --
Allan Liska
allan@allan.org
http://www.allan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAPYvhwn+n87oa5a9VAQE4UQQAgO5sx3CoQHid+BEv4t6PM6FePPptgCiQ
m9ayP+MO8vxkJSLYbBTk7rBP6fWE/jEnkTloSyss1vaKXyxK3aplyx2hJ7YSt4Jg
QVA/j4lxrS6fJw5o5Q31PkwGIgReU2QLmkKqfDpnZHVyk5vcP/Cn09q9MWfdrWei
xoYpLAq6kMM=
=t6vk
-----END PGP SIGNATURE-----

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html