[discuss] Artificial conflation of issues not helpful. [Was: Digest, Vol 3, Issue 67]

David Conrad drc at virtualized.org
Thu Feb 20 19:53:03 UTC 2014


On Feb 19, 2014, at 5:58 PM, Michel Gauthier <mg at telepresse.com> wrote:
> Would VGNICs become a worrying issue?

What's a "VGNIC"?

> I thought it was only securely applying RFCs?

How does one "securely apply" a document? Use duct tape?

> 1. Why do people want to offer root server service?

Of the 12 different organizations that are currently providing root service, if you ask them, you'll probably get 12 different answers since they're all independent. However, I suspect most will respond with something that boils down to "for the good of the Internet" (or perhaps for some, a particular subset of the Internet).

Of the folks who don't run a root server but who want to, I suspect the answers range from "for the good of the Internet" to "my country doesn't want to be dependent on another country for their critical infrastructure" to "because somebody else is running one and we're more important than they are".  There are probably other reasons.

Do you have any evidence that people want to offer root server service in order to facilitate USG surveillance?

> 2. How much does it costs to them?

It depends. If you want to run an instance of an existing root server and you provide the bandwidth/power/cooling, maybe a couple of thousand dollars (US) for the hardware (unless hardware that meets the specifications is donated of course). If you have to pay for bandwidth/power/cooling, the price will obviously go up. If you want to be the root operator (as opposed to running an instance) and you want to do it well, it is _quite_ expensive, both in terms of capex (servers, routers, switches, etc) as well as opex (bandwidth, co-lo space, power, etc).

> 3. How much are they get paid?

As far as I am aware, no root server operator gets paid for providing root service.

> 4. Who has access to the logfiles?

Which log files?  In general, the system administrators of the servers will have access to the log files of those servers.  If you're suggesting the root servers collect query logs, I suspect you underestimate the amount of data this implies and the load it imposes on the servers.  As far as I'm aware, query logging is only turned on for a subset of the root servers for about 50 hours per year as part of the "Day In The Life" (DITL) research project (see http://www.caida.org/projects/ditl/ and https://www.dns-oarc.net/oarc/data/ditl).

> 5. ICANN has no control on the root file. It can only advises.

True, more or less, in the sense that ICANN cannot make changes unilaterally to the root zone.

> Everyone has control on his/her own EZOP top-file report.

What's an "EZOP top-file report"?

> So why is ICANN so excited about the root file?

Presumably because ICANN, by it By Laws, coordinates, at an overall level, the Internet's system of unique identifiers, of which the DNS root zone is one.  ICANN is also the entity entrusted with the IANA functions, of which validating root zone modification requests is one. And, of course, ICANN was specifically created to facilitate competition in the domain name space, which has been interpreted as creating new top-level domains.  

> Here are the root servers list you (ICANN) provide. They are receiving the DNS logs in real time.

Do you mean they are receiving DNS queries in real time?

> Which one do not have ties/contract with the USG

Since you appear to take an expansive view of "ties/contract with the USG", I suspect the answer here would be "none". After all, even the non-US root servers are likely to have had some tie with the USG at some point, e.g., I personally know long ago (circa early 90s), WIDE was directly involved in the USG (NASA and NSF) funded PACCOM project that connected research/academic networks in the Asia Pacific Rim to the US NSFNet.

Of course, the fact that there are/were ties/contracts says precisely nothing about links between root management and USG surveillance.

> (BTW how were them chosen)?

Jon Postel made the original delegations long before ICANN or significant interest in the Internet existed by metrics known only (to my knowledge) to Jon. Since that time, some of the root servers have changed 'ownership' over time, e.g., "C" was originally delegated to PSI, but Cogent acquired PSI's assets when PSI went bankrupt.

> Which one can you swear are not spied by the NSA?

How do you prove a negative?


> -  Internet Systems Consortium, Inc. (F)
>   http://www.thefreelibrary.com/NSA+partners+with+ISC2+to+create+new+InfoSec+certification.-a098668829

ISC2 ("The International Information Systems Security Consortium") is not the same as ISC ("The Internet Systems Consortium").  Of course, ISC has received funding from the USG for development of stuff like DNSSEC in BIND so clearly they're tainted.

> People are  no fools

Actually, some people actually are fools, but sometimes it's polite to humor them.

Hope this helps.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140220/8452dc5e/signature-0001.asc>

More information about the discuss mailing list