ICANN/DNSO
DNSO Mailling lists archives

[ga-roots]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga-roots] Re: [icann-eu] Letter to Dr. Vint Cerf


On Thu, May 10, 2001 at 12:09:22AM +1000, List Admin wrote:
> [Repost upon request from Patrick Corliss - this message had
> originally been distributed on icann-europe.  Note that I'm not
> subscribed to ga-roots.  Please CC me on any replies.
> 
> What a chaos. -tlr]
> 
> On 2001-05-08 13:24:23 -0700, Kent Crispin wrote:
> 
> > The misconfiguration is in creation of a .biz in an alternate
> > root system, and connecting that to the global Internet -- an
> > action which exposes one to all kinds of problems, not just the
> > one you outline.
> 
> I disagree.

But down below you agree...

> The interesting question about Jefsey's scenario is how the message
> gets to a mail server which uses the wrong root system - from the
> sender's point of view.  (The argument is entirely symmetric under
> exchange of canonical and alternative roots.)

Indeed it is, and it can work between two alternative roots -- the ICANN 
root need not be involved.

[.scenarios deleted.]

In fact there are numerous other possibilities for sources of
contamination.  For example -- I go to a conference and hook up my
laptop to the ISP providing connectivity to the conference.  I am
required to use their smtp server; it uses some set of roots I never
heard of...  Or: My employer uses an ISP under one root zone, I have a
personal account at a different ISP.  My ISP decides that it is going to
support a new root zone, with a different version of the TLD in
question.  Why would an ISP do that? Because it gets a customer request
to host a web site in a new TLD?

This is confusion through direct lookups.  When one adds the effect of
pollution of resolver caches, the situation becomes much worse.  The 
response to dns queries frequently contains the IP address of a name 
server to optimize lookups of associated information -- so you can 
lookup a mx record for a domain, find a server in some alternate root, 
and get back AT THE SAME TIME the information for the nameserver for 
that mail server.  This information will now be cached, resulting 
(potentially) in a nameserver that servers up authoritative records 
for a domain that is completely out of band with the DNS tree you 
think you are using.  The above discussion is in terms of MX records, 
but how about inverse lookups -- all kinds of things (eg servers 
resolving names for logging purposes)  do inverse lookups on ip 
addresses, and will get nameserver information in the caches from names 
it never heard of.

> Thus, I don't think that connecting name servers with an alternative
> root zone to the Internet is the really bad thing - but actually
> using them may quickly turn out to be a very bad thing.

Here you seem to be in agreement, so I am puzzled.

Of course, if no packets flow, you can't do any harm.  That is not an
interesting observation.  Implicit in all this is that the stuff is
actually being used...

-- 
Kent Crispin                               "Be good, and you will be
kent@songbird.com                           lonesome." -- Mark Twain
--
This message was passed to you via the ga-roots@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-roots" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>