Interesting People mailing list archives
IP: more on Re: ROOTS & PRIVACY ISSUES
From: Dave Farber <dave () farber net>
Date: Sun, 14 Apr 2002 07:05:06 -0400
Date: Sun, 14 Apr 2002 02:04:29 -0700 To: farber () cis upenn edu From: Simon Higgs <simon () higgs com> Subject: Re: IP: ROOTS & PRIVACY ISSUES At 03:06 PM 4/13/2002 -0400, Dave Farber wrote: For IP: This is old news (by internet standards - it occurred in June 2001), but none the less, it's a very intriguing "big deal about nothing". Diebold used PCCF as an ISP to host two ORSC root servers. No big deal there. When the contract with PCCF ended, Diebold decided to discontinue their maintenance of the two root servers, and so the IP addresses (205.189.73.10 and 205.189.73.102) reverted back to the PCCF pool. Again, no big deal. Because of some unfortunate "politics" (putting it politely), PCCF decided they didn't want to continue to provide root service for ORSC and decided to throw a temporary, but novel, spanner in the works. Normally, once DNS records are changed, all the queries resolve to the new IP address at the new ISP. The problem for any root zone is that the root server IPs are hard coded in the "hints" file of the root. If you know BIND, then you know what a hints file looks like. If not, the legacy root hints file can be found here: ftp://rs.internic.net/domain/named.ca The ORSC root looks exactly the same, but with different IP addresses, and uses the "root-servers.orsc" domain name. Each DNS server (every single one) has to be updated by it's administrator when a new hints file is published. Until that happens, the DNS server still queries the old IP addresses in the old hints file. After PCCF removed the ORSC root servers, the traffic for the ORSC root continued to target the PCCF IP addresses. Inbound queries use bandwidth, and non-answering IPs use even more bandwidth when the request is repeated several times by the DNS client. What PCCF did to solve this problem was very novel. Even though it was largely ineffective, it did bring to light the issues raised by the letter below. What PCCF did was to put two new root servers on the old Diebold IP addresses. These root servers had a single root zone file that was unique on the internet: $ORIGIN . @ 1D IN SOA baptista.vortex. baptista.pccf.net. ( 2001010154 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D ) ; minimum 1D IN NS baptista.vortex. baptista.vortex. 1D IN A 205.189.73.10 1D IN A 205.189.73.102 email.blackhole. 1D IN A 10.0.0.1 *. 1D IN A 192.0.2.111 1D IN A 172.16.0.15 1D IN MX 5 email.blackhole. This file might look like gibberish to some on IP, but what it does is to answer every DNS request with the same two IP addresses - 192.0.2.111 and 172.16.0.15. That's right, every domain name you could possibly imagine will resolve to those two IP addresses. And at both of those IP addresses was a web site with an announcement that root service had been terminated, forcing the end users to re-configure their DNS, and telling them (in PCCF's opinion) why. What the letter below outlines, is that it is possible for root server operators to trap the end user's DNS request for surveillance purposes (the above root zone does exactly this). It's not a very clean process, because it requires a redirect back to the true IP address after logging the request. I'm quite sure this would end up on the security mailing lists very quickly if the root server operators actually tried to do this since there is an auditable packet trail which can be seen by the DNS client. For instance, the PCCF "experiment" is unable to show any kind of packet redirection from the surveillance IP address to the real destination IP address - this would be required in order to show evidence of a transparent surveillance practise. Partly as a result of these events, ORSC has changed the way it provides pointers to it's root zone. The hints file is now obsolete, and each DNS server using the ORSC root zone can now load the entire top level root zone locally (remember this is the "Open Root Server Confederation"). This removes the need to always query a limited set of root servers. Instead it provides much faster resolution to DNS queries by allowing the query to bypass the root servers and go straight to the TLD servers. If the legacy root (US Gov/ICANN root) did the same thing, it would scale to a far larger number of DNS clients than is currently possible, and even the remote possibility of root server surveillance would be completely removed. Other than that, the letter is a very nice way for PCCF to create some unwarranted FUD and raise $10 from anyone wishing to see the logs of this event. The logs are far better at showing the security vulnerabilities of the web sites being visited than of any kind of root surveillance practise. For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: more on Re: ROOTS & PRIVACY ISSUES Dave Farber (Apr 14)