With the one-year anniversary of the biggest denial of service attack ever on the domain name system coming up this week, VeriSign has made provocative statements about commercializing the DNS.
Also coinciding with the anniversary, the Internet Software Consortium (ISC) will announce the formation of an Operations Analysis and Research Center (OARC), designed to help root server operators work together to make the Internet more reliable and secure.
The ISC said that the OARC was conceived in response to both the DDoS attacks and US homeland security initiatives, such as the formation of Information Sharing and Analysis Centers (ISACs).
However, OARC will have an international membership and agenda. Initial members include a who’s-who of acronymic Internet management bodies, such as ISOC, RIPE-NCC, ARIN, APNIC and LACNIC, as well as commercial interests including Cisco, MCI, UltraDNS, Afilias and XO Communications.
Members will share data relating to DNS stability with each other and with law enforcement, in order to respond to, and provision for, incidents.
It’s not known if VeriSign will be an initial member of OARC, the company appears more interested in a market-led approach to the operation of the DNS.
Already under fire over the Site Finder domain redirection controversy, VeriSign has been stepping up attacks on what it sees as the old-school technological mentality on the Internet that hinders commercial innovation.
The company argues that only commercial operators have the resources to adequately run the Internet’s infrastructure, which has mostly been the domain of academic, governmental and non-profit institutions.
The internet’s domain name system, which is used in virtually every online application, is hierarchical, with 13 logical root servers, labeled A through M, providing the master lists of which domains should resolve to which IP addresses.
VeriSign runs A and J, the ISC runs F, the US military runs G and H. The others are operated by diverse array of companies and organizations including ICANN, Cogent Communications, NASA, and the University of Maryland.
They’re part of the fabric of the Internet, and many people were largely complacent about their continued operation, until a year ago this week, when a large distributed denial of service attack severely degraded the responsiveness of the system.
During the attack, nine of the 13 [roots] went down, although some in the community say this is not technically accurate, and furthermore, that the non-profit community is doing as much if not more than VeriSign to bring stability and redundancy to the root server system to prevent future attacks.
According to an account of the attack authored by three root server operators, the 13-server constellation came under attack from a total of 900Mbps of traffic, but none of the servers actually stopped working.
It is also claimed that while all servers continued to answer all queries they received (due to successful over provisioning of host resources), many valid queries were unable to reach some root name servers due to attack- related congestion effects.
In other words, the servers were not down, but in many cases they could not be reached by valid queries due to upstream bottlenecks (the effect is the same, however). VeriSign’s two roots were among the least-affected by the attack.
While there are 13 logical roots, with 13 unique IP addresses, since the October 2002 attacks there have been efforts underway to place mirrors of these servers in diverse locations, using IP anycast to appear like one server.
The K-root, for example, is now located at the main peering points in both Amsterdam and London, and more are on the way. VeriSign’s J-root is located in six places in the US and Europe (its A-root is at one location in Virginia).
The ISC has tasked itself with deploying literally dozens of mirrors of the F-root all over the world. Since the DDoS attack, 13 mirrors have gone live, at least 15 more are to go live next year.
VeriSign claims to have invested $150 million in two and a half years, athough this figure is disputed.
There have been calls for VeriSign to be replaced as a root server operator, due to potential future conflicts of interest. If its lucrative status as operator of .com was ever to be revoked, the firm would be responsible for directing the master A-root to direct .com to its new operator.
In addition, there are concerns that the company could decide to extend its currently inactive Site Finder .com and .net wildcard system to the roots it controls, which could cause, directly or indirectly, more problems for the internet.
This article was based on material originally published by ComputerWire.
