Home / Blogs

Security and Fort N.O.C.‘s

In an article by MSNBC called “Fort N.O.C.‘s” [Network Operating Center]  Brock N. Meeks reports:

The unassuming building that houses the “A” root sits in a cluster of three others; the architecture looks as if it were lifted directly from a free clip art library.  No signs or markers give a hint that the Internet’s most precious computer is inside humming happily away in a hermetically sealed room.  This building complex could be any of a 100,000 mini office parks littering middle class America.

It is hardly the “most precious computer”!!! It is very easy to replicate the DNS root zone - in its compressed form it is smaller than many of the cutsie image buttons that besplatter web pages around the world; it will fit on a floppy disk with lots of room to spare.

As I have suggested, the “precious” aspect is merely the result of a near dogma that is unwilling to accept the fact that just as the telephone system can have multiple publishers of telephone books, the Internet can have multiple “roots” for DNS.

The issue is consistency. As long as those roots all point to the same places the end result will be the same, just as it is the same person who answers the telephone whether you find the phone number from brand X or brand Y telephone book.

Many of us who have had to live through natural disasters can attest to the value of having a copy of the root zone handy so that we can set up local emergency root servers and start rebuilding our infrastructures from the inside-out rather than waiting for the outside to come and find us.

The concept that VeriSign’s “a” root server is precious has substance only because we have blinded ourselves to the alternatives.

I don’t use the ICANN/VeriSign/Dept. of Commerce DNS root - I haven’t used it for something in the order of 7 years now. So my ability to resolve names is not dependent on whether that building in northern Virginia collapses in the next Virginia earthquake or not.

Far more damaging to the Internet would be loss of the suite of servers that serve-up the .com, .net, and in-addr.arpa domains.

Historically the root operators have formed a loose collation that coordinates and cooperates out of sense of duty, not regulation or contract.

One can only stand in astonishment at this fact. ICANN was created to assume the obligation to ensure to the public that the top levels of the DNS system work well, day-in and day-out. The fact that the DNS roots are still run by people who, despite their technical expertise and stellar performance so far, are completely beyond public accountability or bound to abide by any service level agreements, is very sad, and ought to be of great concern by those who believe that those who run critical resources on behalf of the public should be ultimately accountable to the public and obliged to provide clearly defined services according to clearly defined service levels.

Access to the Network Operations Center, the “NORAD” of the Internet’s traffic monitoring, requires the electronic badge and then a double biometric hand print scan.

Of course even the most dim-witted attacker would realize that no matter how strong the walls are, simply disconnecting the building from the net, either physically (with a back hoe) or logically (by saturating network links or by interfering with the routing of packets) is much more effective than a full frontal assault.

“Should the ‘A’ root fail for any reason, sudden network drop or a backhoe out there [cutting a line], somehow if this site just vanished off the Internet, it would automatically [switch] over to one or two other locations,” Silva said.  These are the so-called “warm back-ups” that VeriSign has on stand-by at all times.  The Internet never sees them, Silva says, but they can be up and running within 15 minutes and in that time Internet users wouldn’t even notice a hiccup in traffic, Silva says, owing to the fact that the majority of a user’s web experience is “cached” on a local Internet Service Provider.

That all presumes that packet routing - the all-important system that few talk about and which ISPs consider highly proprietary - is able to adapt to the routing changes. Physical connectivity is worthless if packets cannot find their way or are led into dead ends.

The late Jon Postel wanted to test some of these fallback systems - he was nearly burned at the stake for suggesting it.

I’m not suggesting that VeriSign’s engineering is bad. In fact, the folks at VeriSign have great technical abilities and a good attitude - their efforts deserve both recognition and congratulation.

However, as I said before - this fact that is armoring is needed is the result of our own mental blinders that don’t allow us to see that we can distribute the root information much further and much wider so that such points of sensitivity would not exist.

See my notes here.

By Karl Auerbach, Chief Technical Officer at InterWorking Labs

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign