Sure, scanning 4 billion addresses in a hour sounds like a lot of data, but conceivable with today's high-speed computers and tech.
But 3.4 x 10^29 billion addresses, as contained in IPv6? Not the same feasibility at all.
We need to get more creative about funding methods. What ever happened to micropayments? If you pitched in 5 cents for every article with merit that you read, would that make a difference? We must have a better idea than advertising.
BitInstant just selected dumb security questions/answers when they registered the domain name.
Wait, were the questions dumb, or the answers?
Allowing your clients to select dumb, insecure questions means that you have an optionally secure registration platform, which requires your customers to be competent about security.
To me, this kind of incedent points out the need for a more expensive, higher security registrar, who designs systems which are very hard to subvert. Till now, DNS regstrars have competed on price. This story says that security is important too, especially when control of the domain leads directly to cash money.
Mod up please. This is much more reliable that the shrill
A peering dispute is totally conceivable, it's happened many times in the past between ISPs. Google paying a consumer network fees to carry traffic has *never* happenend. The former is much more likely.
Why does Slashdot keep linking to secondary sources, like Forbes.com, when the primary source is so easily available? Laziness would be my first guess.
Here is the much-better Renesys blog post: http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml
Questions about their methods of reasoning are the most interesting.
There may be 5 ISPs, each operating their own logical notwork, with their own IP space, servers, and everything--but they may all share the same physical fibre optic cable out of the country--especially if the country is an Island. New Zealand would be a good example of this: it is about 1500 km from Australia, and 1000 km from Fiji. There are only a few submarine fibre optic cables connecting to the rest of the world. Perhaps Southern Cross Cable and SPIN only?
The authors acknowledge they were mostly unable to analyse this, and had to guess about the number of physical conduits. They say they will have more to say about the limited physical connections in the future.
I heard the other day that our oil exports now exceed our oil imports. My question: why aren't we just using the oil we have, instead of shipping it across the ocean? Economics aside for a minute... this is having a huge impact to global warming, yet I'm the one being blamed?
No you didn't hear the word "oil". You heard that the US is a net exporter of Gasoline, Diesel, and other fuels. These are refined products, not crude oil. Since 2008, the cunsumption rates (demand) for gasoline, diesel, and other fuels has fallen, as part of enonomic contraction. Thus, large refineries, especially on the Gulf coast near Houston, TX (Galveston, Texas City) have spare refining capacity. So, they buy crude, and refine it to produce gasoline and other products. Just as crude oil is traded globally, so is gasoline. The purchasers are nations with no refineries, like the Bahamas, or areas will less refining capacity than needed, like Equador or Argentina.
US consuption of oil has fallen from about 21 Mbbl/day to 18 Mbbl/day (rough). US production of oil is about 5 Mbbl/day. The US is nowhere near being an oil exporter. But, the US is importing some oil, refining it, and then exporting the refined products, like this:
1. Import oil
2. Refine into gasoline, diesel, jet fuel, etc
3. Export for profit!
So, this is a good business for the oil refiners, and puts money into the US economy. It does not mean that the US is oil independent, not even close.
Also, the cost of shipping oil across the ocean is insignificant compared to the value of the product to the end user. Ocean transportation is a tiny component of carbon emissions. I'd guess less than 1% off the top of my head.
The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.
If you read the full article of any headline that contains quotes, you will find that the origin of the statement in quotes is not the BBC's writers, but another organization or person: a third party.
The BBC is trying to help you understand the source of the informaiton, an important part of journalism. They are trying to help you understand what they are reporting, not belittling your intelligence with 'emphasis' quotes.
Skype doesn't work on 1.6.
There are security flaws in 1.6 that could cause problems for Aunt Nettie.
1.6 doesn't support tethering or wi-fi hotspot.
Are these trivial non-issues to average people wanting to use a state-of-the-art smartphone? I think these are more than trivial.
Software is the real power of a smartphone.Not giving users update while the competition from Apple does is really working against the big advantage smartphones offer.
DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.
You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.
Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)
Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.
Since this, route announcements have changed, and the Beijing server is not being queried.
But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.
My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.
Your suggestion makes sense, but that's not what happened.
Something like this
I.root-servers.net (beijing) -> chinese networks -> Chile networks
So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.
This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.
Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.
Hopefully that makes sense.
P.S. www.root-servers.org
This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.
Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.
Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.
Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?
Lookups for things like 'www.facebook.com' were returning false answers. Youtube.com and others were affected too.
So if you got the bad answer from DNS (because you happend to query the Beijing root server), some of your favourite websites would be unreachable.
DNS for IPv6 will have to know a whole lot more about which address to dish out 1st than current versions of BIND and I'm not sure how long it will take to get a good handle on that problem.
This doesn't compute for me. DNShas different record types to deal with the issue you are suggesting.
Animportant resource record type is the INA. (IN is the 'internet' class). This is probably the most heavily used record type.
So here's an example:
www.kame.net. 86365 IN A 203.178.141.194
If you have a web browser, it will often query the system resolver for a an A record. This is an IPv4 address. But if the browser wants, it will query for an AAAA record, like this:
www.kame.net. 86400 IN AAAA 2001:200:0:8002:203:47ff:fea5:3085
So, my point is, the version of BIND has no relevance on IPv4 addresses, and IPv6 addresses. It's the query type that determines that. That is part of DNS, and universal to all DNSsoftware.
P.S. a web-browser could query for both A and AAAA records, and have a preference of one or the other set
Those who can, do; those who can't, write. Those who can't write work for the Bell Labs Record.
