On Thu, 18 Sep 2003 09:01:27 EDT, "Jonathan A. Zdziarski" said: > * Establish a new set of root servers and top level registry > * Publish a new root server list over 80% of ISPs will likely use, > resulting in Verisign's root servers to become obsolete > * Provide the legal and financial backing it will take to > accomplish this The financial backing is non-trivial. You're going to need some pretty serious big iron, and some pretty bad-ass bandwidth. Remember - there's 13 root server addresses - and most of them are anycast, meaning there's actually like 5-10 identical copies all over the place. So be ready to pay for 20-30 machines that have *real* reliability - you don't want to be trying this with a Dell 2U rackmount. http://www.caida.org/~kkeys/dns/2002-08-14/2002-08-14-queries.png That's normal traffic. 5K queries/second per server. That's a 10-minute average, so statistically you're going to have short bursts of MUCH higher that you need to handle to keep the latency down. Did I mention that you need to have enough muscle to survive a DDoS attack? "Filter it all at the upstream" isn't a viable defense when you're a root nameserver, since if you don't answer, things start to suck. Oh.. and you'll need trusted and experienced people, and be willing to pay them. And this is overlooking the fact that it isn't the root servers that are the problem. Those have been rock solid and remarkably controversy free. In fact, the root is *SO* solid that in close to 20 years, the *biggest* controversy was that Postel switched the primary one night without written permission - by feeding a different root server the same exact config file and letting it propagate it rather than the usual server that did the propagation. Your culprits are elsewhere: Don't like the selection of top-level domains? Talk to ICANN. Don't like how a TLD is run? Talk to ICANN and the administrator of that TLD.
Attachment:
pgp00044.pgp
Description: PGP signature