Re: F.ROOT-SERVERS.NET moved to Beijing?

[Valdis.Kletnieks () vt edu]

On Sun, 02 Oct 2011 17:30:37 EDT, Todd Underwood said:

> 2) can any root server operator who serves data inside of china verify
> that the data that they serve have not been rewritten by the great
> firewall?

DNSSEC should help this issue dramatically.  This however could be problematic
if the Chinese govt (or any repressive regime) decides to ban the use of
technology that allows a user to identify when they're being repressed.

> 3) does ISC (or <Insert Root Operator Here>) have a plan for
> monitoring route distribution to ensure that this doesn't happen again
> (without prompt detection and mitigation)?

Leaked routes happen  External monitors and looking glasses and filters and
communities are all things we should probably be doing more of, in order to
minimize routing bogosity.  But when all is said and done, there's no real way
to have a dynamic routing protocol like BGP and at the same time *guarantee*
that some chucklehead NOC monkey won't bollix things up.  At best, we'll be
able to get to "less than N brown-paper-bag moments per Tier-[12] per annum" for
some value of N.

Attachment: _bin
Description: