Re: [DNSOP] Should root-servers.net be signed

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Fri, 19 March 2010 17:02 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D73133A6AE5 for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 10:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.539
X-Spam-Level:
X-Spam-Status: No, score=-5.539 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lldZE+HujUEQ for <dnsop@core3.amsl.com>; Fri, 19 Mar 2010 10:02:18 -0700 (PDT)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by core3.amsl.com (Postfix) with ESMTP id 95E6D3A6828 for <dnsop@ietf.org>; Fri, 19 Mar 2010 10:02:18 -0700 (PDT)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id o2JH2T6V015916; Fri, 19 Mar 2010 10:02:29 -0700 (PDT)
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost><0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca><alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk><A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca><43FC3F50679F458A869F99D72ECD1237@localhost><20100309151726.GC5108@dul1mcmlarson-l1-2.local> <6C56581E-D4F4-4A49-A3B4-CB7F1CF42E29@icsi.berkeley.edu> <183BEF785A9844F186558A87848A6698@localhost> <061F30F4-E0EE-40E6-A54D-246D9E9A9D77@ICSI.Berkeley.EDU> <6D6F580F8CFB4DB5AB32566FB608088D@localhost> <57BC5F21-B1EE-4D06-BB1B-3DC8582D0D87@ICSI.Berkeley.EDU> <03CF4A3B5B374C4C858DEEB2D66C0702@localhost> <AA116C2A-CCFC-4177-A43A-B3AA066B3C3C@ICSI.Berkeley.EDU> <7F872C0CAA544F9480BF49438AAFA3BF@localhost> <68584293-648A-4F4E-8731-785E8F4D38B7@ICSI.Berkeley.EDU> <FD7E1CD6-E5D2-4A6B-9990-3CE2335E2BA8@nominum.com>
In-Reply-To: <FD7E1CD6-E5D2-4A6B-9990-3CE2335E2BA8@nominum.com>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <A655F50D-8DEC-4ED3-A75D-C08B36C65648@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Fri, 19 Mar 2010 10:02:29 -0700
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1077)
Cc: George Barwood <george.barwood@blueyonder.co.uk>, "dnsop@ietf.org" <dnsop@ietf.org>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 17:02:19 -0000

On Mar 19, 2010, at 9:41 AM, Ted Lemon wrote:

> On Mar 19, 2010, at 12:20 PM, Nicholas Weaver wrote:
>> HAHAHA.  Not bloodly likely IMO: a lot of the "open resolvers" are broken end-user NATS and similar.  Those will only be updated sometime around when hell freezes over.
> 
> Stuff gets updated when its brokenness becomes obvious to the person who owns it.   So revealing its brokenness is a mitzvah.

But its not broken for the person doing it.

In fact, given it costs $10-50 to replace ($10 for a reflash when you consider time and effort) and, with flat rate internet billing, $0 to maintain as 'broken', unless the ISP is going to cut the person off, it makes no sense for them to fix!

And the ISP has no reason either, as people are not using this for significant DOS attacks anyway: application level DOS is where its at if you are going to burn bots (which are a REAL resource) for DOS attacks, due to a combination of far greater effectiveness AND the widespread use of filters against spoofed packets.

So why spend $10-