Why does Slashdot keep linking to secondary sources, like Forbes.com, when the primary source is so easily available? Laziness would be my first guess.

Here is the much-better Renesys blog post: http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml

Questions about their methods of reasoning are the most interesting.

There may be 5 ISPs, each operating their own logical notwork, with their own IP space, servers, and everything--but they may all share the same physical fibre optic cable out of the country--especially if the country is an Island. New Zealand would be a good example of this: it is about 1500 km from Australia, and 1000 km from Fiji. There are only a few submarine fibre optic cables connecting to the rest of the world. Perhaps Southern Cross Cable and SPIN only?

The authors acknowledge they were mostly unable to analyse this, and had to guess about the number of physical conduits. They say they will have more to say about the limited physical connections in the future.

No you didn't hear the word "oil". You heard that the US is a net exporter of Gasoline, Diesel, and other fuels. These are refined products, not crude oil. Since 2008, the cunsumption rates (demand) for gasoline, diesel, and other fuels has fallen, as part of enonomic contraction. Thus, large refineries, especially on the Gulf coast near Houston, TX (Galveston, Texas City) have spare refining capacity. So, they buy crude, and refine it to produce gasoline and other products. Just as crude oil is traded globally, so is gasoline. The purchasers are nations with no refineries, like the Bahamas, or areas will less refining capacity than needed, like Equador or Argentina.

US consuption of oil has fallen from about 21 Mbbl/day to 18 Mbbl/day (rough). US production of oil is about 5 Mbbl/day. The US is nowhere near being an oil exporter. But, the US is importing some oil, refining it, and then exporting the refined products, like this:

1. Import oil
2. Refine into gasoline, diesel, jet fuel, etc
3. Export for profit!

So, this is a good business for the oil refiners, and puts money into the US economy. It does not mean that the US is oil independent, not even close.

Also, the cost of shipping oil across the ocean is insignificant compared to the value of the product to the end user. Ocean transportation is a tiny component of carbon emissions. I'd guess less than 1% off the top of my head.

The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.

If you read the full article of any headline that contains quotes, you will find that the origin of the statement in quotes is not the BBC's writers, but another organization or person: a third party.

The BBC is trying to help you understand the source of the informaiton, an important part of journalism. They are trying to help you understand what they are reporting, not belittling your intelligence with 'emphasis' quotes.

Skype doesn't work on 1.6.

There are security flaws in 1.6 that could cause problems for Aunt Nettie.

1.6 doesn't support tethering or wi-fi hotspot.

Are these trivial non-issues to average people wanting to use a state-of-the-art smartphone? I think these are more than trivial.

Software is the real power of a smartphone.Not giving users update while the competition from Apple does is really working against the big advantage smartphones offer.

DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.

You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)

Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.

Since this, route announcements have changed, and the Beijing server is not being queried.

But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.

My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.

Your suggestion makes sense, but that's not what happened.

Something like this

I.root-servers.net (beijing) -> chinese networks -> Chile networks

So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.

This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.

Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.

Hopefully that makes sense.

P.S. www.root-servers.org

Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.

Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.

Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?

Lookups for things like 'www.facebook.com' were returning false answers. Youtube.com and others were affected too.

So if you got the bad answer from DNS (because you happend to query the Beijing root server), some of your favourite websites would be unreachable.

This doesn't compute for me. DNShas different record types to deal with the issue you are suggesting.

Animportant resource record type is the INA. (IN is the 'internet' class). This is probably the most heavily used record type.

So here's an example:
www.kame.net. 86365 IN A 203.178.141.194

If you have a web browser, it will often query the system resolver for a an A record. This is an IPv4 address. But if the browser wants, it will query for an AAAA record, like this:
www.kame.net. 86400 IN AAAA 2001:200:0:8002:203:47ff:fea5:3085

So, my point is, the version of BIND has no relevance on IPv4 addresses, and IPv6 addresses. It's the query type that determines that. That is part of DNS, and universal to all DNSsoftware.

P.S. a web-browser could query for both A and AAAA records, and have a preference of one or the other set

FlyingGuy's post is such a rambling, nonsensical rant i fear i may be being trolled.

To the grandparent: Yes, writing a DNSserver is that hard. The subtle complexities of the internet's directory service actual operations in the Real World is not trivial. The DNS system actually does more than you might think, and contains more record types than commonly understood.

Just upgrading DNS to support IPv6 was no trivial matter, and they actually got it wrong, first, with A6 records--it was decided that AAAA records were better.

I want to also point out that DNSSEC--cryptographic assurances applied to DNS--is a major step forward on fundamental DNS infrastructure, and implementing that is far from trivial. DNS is being tested at the root and major top-levels-domains even as i write this, and testing is planned to continue throughout 2010.

Finally, the data in the DNS is not at all consistent. The DNShas--realistically--over a million administrators. This is made possible by the delegation-hierarchy model of DNS, which works very well for a globally-scaled system. But it also means that strange-rule bending setups are out there... and dealing with all of them in some kind of consistent, reliable way is a major difficulty.

So again, writing a robust DNSserver is hard.

Oh, but FlyingGuy, back to your senseless musings: if DNSis such a bad system, can you name a superior alternative?

To all: DNSis a fine system, in constant, massive use on the internet with remarkable reliability, despite well-know targets of attack. It is incrementally being updated and advanced, with thoughtful and non-disruptive upgrades happening especially in the last 10 years. You can rely on DNS being around for another 30 years.

Excellent post. I agree, and worry about these problems too much, probably as you do too. I worry about our future, us short-sighted, greedy humans.