Root Server Operators: Diversity is the Key

11 December 2015

Terry Manderson, Sr. Director, Security and Network Engineering

Over the past week, we’ve seen some buzz over a set of events that occurred last week, which impacted a small proportion of the Root Server Operators. While ICANN does operate L-Root, we do not speak for the collective of Root Server Operators. In the spirit of transparency, the Operators have a published a collective statement regarding the events. You can read it here.

ICANN completely agrees with and supports the text in the Root Server Operators statement. However, there are a couple of salient points that we would like to expand upon.

While attacks like these are rare, they can and do happen. In fact, there might be any number of reasons that your Internet Service Provider’s (ISP) Domain Name System (DNS) resolver can’t reach one particular root server. This could be related to your ISP’s routing, or some level of unrelated international network event, such as a severed submarine cable. The DNS protocol is designed to be resilient in these scenarios, and it worked as expected.

Diversity in the system is fundamental to why this works as it does. ICANN makes operational decisions on how it operates and locates L-Root anycast instances independently from the other root servers, even down to the software we choose. This diversity means there is substantial operational resiliency in the entire Root Server System.

Unfortunately, many seem to be saying, “Oh my, a root server or two didn’t respond for a short period of time – this must be bad!” However, it’s important to look at the events in their entirety to determine how we should react.

When I was made aware, my first response was, “Wow! The entire system works.” There was no discernable impact on end users, even though some root servers weren’t available for a short period of time. So people were still able to visit websites, YouTube uploads didn’t stop, online shopping continued and users were able to upload photos of their food to Instagram.

Does this mean the entire Internet operations community should become complacent? Absolutely not. The Root Server Operators statement highlights a salient point. If all network operators implement the provisions from BCP 38, the attacks that were attempted towards the Root Server Operators would not have occurred in the first place. In fact, a vast number of these “spoofed” or forged source address Denial of Service (DoS) attacks that target many organisations or individuals would be stopped in their tracks.

So here is my challenge to you: Does your company implement BCP38? Does your ISP implement BCP38? Do you have a contract term that specifies they implement BCP38? If not, encourage them to do so. Implementing BCP38 ultimately protects you, your own interests on the Internet and the Internet as a whole.

Sr. Director, Security and Network Engineering

Terry Manderson