First? TRUE Root Name Server On Line

Jamie jamie at dilbert.multiverse.com
Sat Nov 23 22:32:16 UTC 1996


The server sucks.

Who the fuck runs a "root nameserver" with open things like this?
Open telnet, SMAIL on mail, and small-tcp (ATTACKABLE) services
like chargen, echo, discard, Please.

www3% telnet 199.5.157.5
Trying 199.5.157.5...
Connected to 199.5.157.5.
Escape character is '^]'.


BSDI BSD/386 1.1 (NS2.NIC.EARTH) (ttyp1)

login: ^DConnection closed by foreign host.
www3% telnet 199.5.157.5 25
Trying 199.5.157.5...
Connected to 199.5.157.5.
Escape character is '^]'.
220 NS2.NIC.EARTH Smail3.1.28.1 #17 ready at Sat, 23 Nov 96 16:48 WET
quit
221 NS2.NIC.EARTH closing connection
^PConnection closed by foreign host.
www3% telnet 199.5.157.5 chargen
Trying 199.5.157.5...
Connected to 199.5.157.5.
Escape character is '^]'.
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg
^]
telnet> q
Connection closed.
www3% telnet 199.5.157.5 echo    
Trying 199.5.157.5...
Connected to 199.5.157.5.
Escape character is '^]'.
^]
telnet> q
Connection closed.
www3% telnet 199.5.157.5 discard
Trying 199.5.157.5...
Connected to 199.5.157.5.
Escape character is '^]'.
^]
telnet> q
Connection closed.

> When history is made on the Internet, it is important to briefly pause
> to recognize the event, and then move forward.

Yes, that event will be celebrated world wide: The Day that Jim Fleming
Left the Internet. We'll call it Ex-Jim Day.

> 	1. First and foremost, this appears to be the first, public
> 		access, Root Name Server which operates as
> 		a TRUE NON-RECURSIVE Root Server [2]. This is a
> 		requirement which is part of the new root name server
> 		guidelines which are being discussed by the IETF and
> 		other engineering groups. The 9 "popular" root name
> 		servers use by many ISPs do NOT meet these
> 		guidelines and resolve second level names.[3]

It's their JOBS to resolve second level names, idiot.  What do you think
would happen if every time you queried for "unety.net NS" it just returned
*.root-servers.net nameservers?  Wouldn't get you very far.

> 		True root name servers should do nothing but return
> 		references to TLD Name Servers [2], to reduce the
> 		scope of their control and their overall load.

.. and increase the amount of DNS traffic. 

> 	2. The official name of this root name server is...NS2.NIC.EARTH.
> 		Because of the growing availability of access to the
> 		new Top Level Domains, such as .EARTH, it seems
> 		appropriate to begin naming the new Root Name Servers
> 		with the newly available names.

"growing availability to new TLDs" or "the growing number of people who
think they own a TLD when it's nothing more than vapor?"

> 	3. This Root Name Server can be added to the growing collection
> 		of Root 64 Name Servers which can be freely used
> 		by ISPs in their "root.cache" files. Because this Root
> 		Name Server is supported by a commercial enterprise,
> 		and not a hodge podge of volunteers (or the U.S.
> 		Government), ISPs can use this Root Name Server to
> 		help bring added stability and performance to their
> 		systems. [4] [5]

Nah. I'll stick with mine. Thanks.

> As has been proven over and over during the past year, new commercial
> Top Level Domains are a reality along with new commercial Root Name
> Servers. The business community is rising to the challenge of building
> a better, more complete, and better engineered Internet now that the
> research and development is largely over.

Even if you get 10,000 sysadmins to change their root.cache file, you
will still be unreachable to 90% of the Internet unless you get the
*.root-servers.net servers to officially recognize you.

> More commercial Root Name Servers are being installed and tested.

Apparently AGN's wasn't one of them.  It's a security hole waiting to
happen.  The last thing I want is some moron hacking into a server
that I refer to as a root nameserver, changing the data, and giving my
customers false information.  Too much risk.

> @@@@@@   [1]   @@@@@@@@@
> 
> Result of: whois 199.5.156

Oh boy, i can 'whois'

> The American Global Network, Inc. (NETBLK-RABBIT2)

IT'S R at BB1T.N3T!!@#!@#&!@#%!@&#%

> @@@@@@   [3]   @@@@@@@@@
> 
> Result of: dig @a.root-servers.net mcs.com any
> 
> ; <<>> DiG 2.1 <<>> @a.root-servers.net mcs.com any 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
> ;; flags: qr rd; Ques: 1, Ans: 2, Auth: 2, Addit: 2
> ;; QUESTIONS:
> ;;	mcs.com, type = ANY, class = IN
> 
> ;; ANSWERS:
> mcs.com.	172800	NS	CEREBUS.mcs.com.
> mcs.com.	172800	NS	KITTEN.mcs.com.

You don't understand the recursion flag, do you?

Tell me, Jim, what would happen if you were right: What would happen
if the root servers did not have an 'options no-recursion' option in
the bootfile? (or, as your limited knowledge thinks, "named -r"?)

Think, Jim.

Think really hard.

*.root-servers-net are "primary" nameservers for SLD's in the .COM zone.
If you queried a root-servers.net nameserver for "mcs.com any" and got back
a list of nameservers, you'd theoretically NEVER be able to get MCS.COM
records.

Here is how you test recursion:

dig @a.root-servers.net some-hostname.xyz.com

where 'some-hostname.xyz.com' is NOT a listed host for any domains.

Here's proof.

(aroot is a nickname for a.root-servers.net btw)

ns1% dig @aroot news.multiverse.com. any

; <<>> DiG 2.2 <<>> @aroot news.multiverse.com. any 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; Ques: 1, Ans: 0, Auth: 5, Addit: 5
;; QUESTIONS:
;;      news.multiverse.com, type = ANY, class = IN

;; AUTHORITY RECORDS:
MULTIVERSE.COM. 172800  NS      A.DNS.MULTIVERSE.COM.
MULTIVERSE.COM. 172800  NS      NS2.OAR.NET.
MULTIVERSE.COM. 172800  NS      NS1.AMERICA.COM.
MULTIVERSE.COM. 172800  NS      STORM.LIGHTNING.NET.
MULTIVERSE.COM. 172800  NS      IN-ADDR.ARPA.COM.

;; ADDITIONAL RECORDS:
A.DNS.MULTIVERSE.COM.   172800  A       207.170.128.10
NS2.OAR.NET.    172800  A       192.88.195.10
NS1.AMERICA.COM.        172800  A       206.125.236.11
STORM.LIGHTNING.NET.    172800  A       206.148.240.3
IN-ADDR.ARPA.COM.       172800  A       207.170.140.2

;; Total query time: 76 msec
;; FROM: ns1 to SERVER: aroot  198.41.0.4
;; WHEN: Sat Nov 23 16:52:44 1996
;; MSG SIZE  sent: 37  rcvd: 259


--- If this nameserver were recursive, it would have given me the "A"
record for news.multiverse.com. But it didn't.

Again proving that you don't know what you're talking about.

Here's a server with recursion on:

ns1% dig @ns.unety.net. news.multiverse.com a |more

; <<>> DiG 2.2 <<>> @ns.unety.net. news.multiverse.com a 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 7, Addit: 7
;; QUESTIONS:
;;      news.multiverse.com, type = A, class = IN

;; ANSWERS:
news.multiverse.com.    3597    A       207.170.128.13

;; AUTHORITY RECORDS:
MULTIVERSE.COM. 110501  NS      A.DNS.MULTIVERSE.COM.
MULTIVERSE.COM. 110501  NS      NS2.OAR.NET.
MULTIVERSE.COM. 110501  NS      NS1.AMERICA.COM.
MULTIVERSE.COM. 110501  NS      STORM.LIGHTNING.NET.
MULTIVERSE.COM. 110501  NS      IN-ADDR.ARPA.COM.
MULTIVERSE.COM. 3597    NS      b.DNS.MULTIVERSE.COM.
MULTIVERSE.COM. 3597    NS      ns1.OAR.NET.

;; ADDITIONAL RECORDS:
A.DNS.MULTIVERSE.COM.   156753  A       207.170.128.10
NS2.OAR.NET.    167647  A       192.88.195.10
NS1.AMERICA.COM.        110507  A       206.125.236.11
STORM.LIGHTNING.NET.    110507  A       206.148.240.3
IN-ADDR.ARPA.COM.       110507  A       207.170.140.2
b.DNS.MULTIVERSE.COM.   156753  A       207.170.128.11
ns1.OAR.NET.    167647  A       192.88.193.144

;; Total query time: 26 msec
;; FROM: ns1 to SERVER: ns.unety.net.  207.32.128.1
;; WHEN: Sat Nov 23 16:54:33 1996
;; MSG SIZE  sent: 37  rcvd: 341

Your nameserver!

Please read up on how DNS works and then come back.

Until then, go back to your playpen.


-- 
jamie g.k. rishaw | work: jamie at multiverse.com  | home: jamie at arpa.com
url-free sig file | multiverse corporate support| work tel: 216 771 0002
  "I'm a doctor, not a doorstop!"  -EMH, "Star Trek: First Contact"






More information about the NANOG mailing list