Re: F.ROOT-SERVERS.NET moved to Beijing?

[Todd Underwood <toddunder () gmail com>]

valdis, all,

On Sun, Oct 2, 2011 at 6:02 PM,  <Valdis.Kletnieks () vt edu> wrote:
> On Sun, 02 Oct 2011 17:30:37 EDT, Todd Underwood said:
>
> > 2) can any root server operator who serves data inside of china verify
> > that the data that they serve have not been rewritten by the great
> > firewall?
>
> DNSSEC should help this issue dramatically.  This however could be problematic
> if the Chinese govt (or any repressive regime) decides to ban the use of
> technology that allows a user to identify when they're being repressed.

sure, but DNSSEC is still basically unused.

> > 3) does ISC (or <Insert Root Operator Here>) have a plan for
> > monitoring route distribution to ensure that this doesn't happen again
> > (without prompt detection and mitigation)?
>
> Leaked routes happen  External monitors and looking glasses and filters and
> communities are all things we should probably be doing more of, in order to
> minimize routing bogosity.  But when all is said and done, there's no real way
> to have a dynamic routing protocol like BGP and at the same time *guarantee*
> that some chucklehead NOC monkey won't bollix things up.  At best, we'll be
> able to get to "less than N brown-paper-bag moments per Tier-[12] per annum" for
> some value of N.

yep.  this is a *great* argument *against* running critical
information services on known-malicious network infrastructure, right?

i.e.:  if you are sure you're going to be interfered with regularly
and you're positive you can't restrict the damage of that interference
narrowly to the people who were already suffering such interference,
perhaps you should choose to not locate your critical network
information resource on that network.

yes, i'm (again) suggesting that people take seriously not doing root
name service inside of china as long as the great firewall exists.

t