Are You SURE This Is A Good Idea?

by Karl Denninger, Market Ticker:

What could possibly go wrong with setting an example like this?

Cogent Communications will pull the plug on its connectivity to customers in Russia in response to President Putin’s invasion of Ukraine.

The US-based biz is one of the planet’s largest internet backbones – the freeways of the internet – and says it carries roughly a quarter of global ‘net traffic.

Modern-day “aggregators”, of which Cogent is one, often are the source of address delegations as well.  Cogent has confirmed they’re canceling IP addresses delegated out; when you are using an aggregator you don’t actually “own” any delegations you may have as for routing purposes the aggregator has the registration on those.  For residential users this is not a major issue, but for commercial places where reverse mapping is a factor it can be at least a moderate hassle.


Much-more ominous, however, is this:

ICANN on Wednesday rebuffed a request from Mykhailo Fedorov, First Vice Prime Minister of Ukraine, to revoke all Russian web domains, shut down Russian DNS root servers, and invalidate associated TLS/SSL certificates in response to the Russian invasion of Ukraine.

First, ICANN has no ownership of DNS root servers; they’re privately owned and operated.  What they could do is remove “undesirable ones” from the “hints” file that is publicly distributed.  Actually getting ISPs around the globe to change their hint files is quite-possibly another matter.  Again, this is a distributed data set and what is distributed in terms of the root hints are suggestions, not commands.

Could ICANN revoke the .RU top-level domain?  Yes, but doing so risks a schism.

Again there is nothing that can be done to enforce upon ISPs (or for that matter anyone willing to run their own local resolver, such as I do here at my home) what top-level domains exist and who is the delegated authority for them.

Back during the “domain war” times when MCSNet was operating we were part of, and participated in, expanding the TLD space when what was to become ICANN refused, claiming “technical impossibility without overload problems.”  I knew this was bull**** and proved it along with others; the entire debate was in fact political and the so-called “mavens” that were running it and exploiting domain registrations to make an obscene, monopolist profit were claiming technical limitations that did not exist.  I and a handful of others set it up, proved it worked and were slowly getting adoption by ISPs around the globe when one of the protagonists took to a bit of cyber hackery.  I left the project immediately when I discovered it because not only was that going to doom its acceptance but it was wildly unethical at best and possibly felonious and I wanted nothing to do with any group associated with that.

But eDNS, which is what we called it, studiously avoided, intentionally, any interference with the existing TLDs.  That is, we were an extension but never a conflict source for same and I made very clear to all the participants that my engagement, software development and participation was utterly dependent on same — and if there was any attempt to violate that by any member of the group we would immediately and loudly walk away even though doing so would mean abandoning a very sizeable — maybe billion dollar or better — business opportunity.

Non-interference in this process was and is very important for Internet continuity for a whole host of reasons, not the least of which is that TLD delegations, and the sub-delegations within them are in fact tied to SSL certificates and if you can corrupt one you could also impersonate someone with disastrous results.  Today domains can be signed with cryptographic keys (and in fact is) but that integrity relies on the chase upward to the TLD being single-source.  That is, if I can successfully replace “.org” and its cryptographic zone signature then I can also replace “” and its cryptographic zone signature with a counterfeit.  This then, in turn, means I can replace the certificate with a counterfeit and having done so all the automated checking that is usually done will in fact test as “good”!

Read More @

Read further at SGT Report

Leave a Reply

Your email address will not be published. Required fields are marked *