VeriSign demands website takedown powers

McTim dogwallah at GMAIL.COM
Tue Oct 11 22:28:57 CEST 2011


On Tue, Oct 11, 2011 at 11:10 PM, Nuno Garcia <ngarcia at ngarcia.net> wrote:

> Yes, but besides the A servers, which they can tweak, you have another 12
> classes of servers that are at the same root level. So, for example, can
> they access the DB of class K server which is in the Netherlands?



They both take the zonefile from a central server.

You seem to be conflating .com servers with rootservers.  the rootzone tells
you how to find the .com servers.  The .com servers tell you which servers
have auth DNS for a certain .com zone.



>
> The update feature in the protocol propagates the changes in the DB and
> that eventually affects all the DB in all the DNS servers in the world.
>

Not exactly.  DNS is a distributed hierarchical DB.

Let's take ngarcia.net for example.  If you decide to change hosts, you
would need to update the A record (and AAAA for IPv6) in your DNS server.

Currently those are:

ngarcia.net.            172800  IN      NS      ns25.domaincontrol.com.
ngarcia.net.            172800  IN      NS      ns26.domaincontrol.com.

As long as you keep the same servers n25. and n26., then .net doesn't need
to know what your A record is, it just needs to be able to send DNS queries
to n25 and n26.

The root doesn't "need to know" this either, it just needs to know which
servers are AUTH for .net.

Your new A records only get "propagated" when people make DNS queries for
ngarcia.net.  Not all servers in the world will have this data, but they
will all know how to query the root for .net, then take that answer and
query the .net server for ngarcia.net.



> So - this is possible because of their location and because of root server
> update algorithms.
>

no, see above.  root and .com/net should not be conflated.


>
> If, by chance, the K server chose not to update*, users in Europe would
> still be able to find a US-canceled .com domain.
>

no, see above.  root and .com/net should not be conflated.  k serves
rootzone info (how to find .com).

Here I ask "K" what the address for ngarcia.net is, and it doesn't know (but
it tells you where to look next for that info):


C:\Documents and Settings\Administrator>dig @K.root-servers.net ngarcia.netA

; <<>> DiG 9.3.2 <<>> @K.root-servers.net ngarcia.net A
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 929
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;ngarcia.net.                   IN      A

;; AUTHORITY SECTION:
net.                    172800  IN      NS      a.gtld-servers.net.
net.                    172800  IN      NS      b.gtld-servers.net.
net.                    172800  IN      NS      c.gtld-servers.net.
net.                    172800  IN      NS      d.gtld-servers.net.
net.                    172800  IN      NS      e.gtld-servers.net.
net.                    172800  IN      NS      f.gtld-servers.net.
net.                    172800  IN      NS      g.gtld-servers.net.
net.                    172800  IN      NS      h.gtld-servers.net.
net.                    172800  IN      NS      i.gtld-servers.net.
net.                    172800  IN      NS      j.gtld-servers.net.
net.                    172800  IN      NS      k.gtld-servers.net.
net.                    172800  IN      NS      l.gtld-servers.net.
net.                    172800  IN      NS      m.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30

;; Query time: 515 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Tue Oct 11 23:27:19 2011
;; MSG SIZE  rcvd: 486

I am off to bed.

--
Cheers,

McTim
"A name indicates what we seek. An address indicates where it is. A route
indicates how we get there."  Jon Postel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20111011/589b0f00/attachment-0001.html>


More information about the Ncuc-discuss mailing list