A Root-Server at the Internet's Core Lost Touch With Its Peers. We Still Don't Know Why. 44
A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.
The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.
The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.
It happens (Score:5, Funny)
RNDC keys versus full DNSSEC harness (Score:2)
Oh, look it's Cogent Communications... (Score:5, Informative)
Just in case anybody has forgotten. Cogent was formed from dot.com wreckage [wikipedia.org] and operates with "cost reduction" tactics like hot-potato routing to peer carriers [nanog.org] who do the work for Cogent but do not get paid.
Dollars to donuts, that server was well past its end of support.
Re: (Score:3)
Re: (Score:2)
I thought a bunch of the root servers were running some flavor of BSD?
Re: (Score:3)
I thought a bunch of the root servers were running some flavor of BSD?
That's a common misconception. The root of pure flavor is just water. Yes, ordinary tapwater, laced with nothing more than a few spoonfuls of BSD.
Re: (Score:1)
Re: (Score:3)
I thought a bunch of the root servers were running some flavor of BSD?
Noting that they didn't say the server stopped working/running, just that it lost contact/sync with the other servers. Sounds like either (a) a configuration or (b) connectivity issue. A more interesting question is why there isn't a mechanism to monitor this and notify someone when something hinky is a foot. Like, "Hey I haven't been able to sync with anyone for over X days!" Assuming there already isn't and the threshold is set to 4 days -- which seems too long. :-)
Re: (Score:3)
Oh, I was just commenting because the OP referenced a systemd service - which wouldn't be present on any BSD.
Re: (Score:2)
OP referenced a systemd service - which wouldn't be present on any BSD.
I glossed over that bit, good catch.
Re: (Score:2)
or (b) connectivity issue
Connectivity issues? Yeah, I'll bet they had Cogent as their internet provider... oh, wait.
Re: It happens (Score:5, Funny)
Don't blame me. (Score:2)
"I didn't do it." --Bart Simpson [youtube.com]
China (Score:2, Interesting)
Re:China [allegedly] (Score:2)
Jiiihna? Naw, they are too busy adding Gain of Function to lab pandemics, rigging GOP elections, building coal plants, harassing Taiwan, erasing Tank Man and Winnie-the-Xi from the Webtubes, planting documents at Mar-A-Lago, making MAGA hats, making scary looking white weather balloons that happen to drift over nuke silos, forcing Uyghur kids to make gold sneakers, sneaking across the Canadian border to supply Ronny Jackson with "candy", bribing Peng Shuai to STFU, bribing health officials to claim MSG is s
Re: (Score:2)
Lotta work.
Lotta work? I hear it's one big Party!
DNS is still a single point of failure. (Score:2)
Re: (Score:3)
It would take more than this since WU uses certificate authentication to validate updates
Re:DNS is still a single point of failure. (Score:5, Informative)
It would take more than this since WU uses certificate authentication to validate updates
https://sslmate.com/resources/... [sslmate.com]
How many more than this do you need?
Re: (Score:2)
Thankfully, Windows doesn't rely on anything as flaky as TLS certificates. Updates need to be signed with Microsoft's keys.
If you pull a server switcharoo, you may be able to get clients to download the fake update. But they won't execute it.
Re: (Score:2)
fool me once...
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I assume that is a good faith question and not attempted poo-pooing gone embarrassingly bad. Think about it. What does DNS do?
There are 13 root servers. If any of them is down, any of the others can respond. I do not see how this is a single point of failure.
Even if you are talking about DNS resolution on a client machine as a single point of failure, every TCP/IP implementation supports having multiple DNS servers configured.
Re: (Score:2)
This scenario is mostly fearmongering and nonsense.
Further assume one of the CAs operating out of an authoritarian state is pressured to generate a cert for windowsupdate.com. Now each and every time a resolver pulls new glue you roll another D13 to find out if you've been hacked. Eventually just one compromised root can hack everyone.
Why would you ever trust a CA operating out of an authoritative state?
Every modern OS or browser--even Windows--allows you to choose which CAs you'll trust. If you are vulnerable in this situation, it is because your system is misconfigured.
If you want to be very careful, you can prune your trusted certificate store to the bare minimum or configure pinning for critical certificates. Or both.
Re: (Score:2)
You mean Microsoft is pressured? They're using code signing certificates, updates must be signed by Microsoft. Not the same ones used for domain verification.
If you're in control of Microsoft and their code signing certificate, you don't need DNS to help you.
Re: (Score:2)
Practically speaking, that's certainly the case from the perspective of, say, Proxima Centauri.
Re: (Score:2)
How much are you paying for that 48kbps leased line to get pr0n from Hiroko?
Re: (Score:2)
Oh the price is quite reasonable... but the latency is horrendous.
Re: (Score:2)
Well, as long as you don't fast forward too much, you should be fine, then.
Check the Oblig-A-Tron (Score:2)
I'm not saying it's aliens, but ... IT'S ALIENS! [reddit.com]
Re: (Score:2)
Nah, it's DNS... It's always DNS.
Recursive at that.
https://dnshaiku.com/ [dnshaiku.com]
Janitor with one of those floor polishing machines (Score:2)
Had to plug it in somewhere.
Re:"Forgot to plug it in" (Score:1)
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:1)
One time a tenant in the lower half of my cabinet unplugged me to move some cords around. I drove to the colo as soon as possible and saw him there asking what's going on.
He basically didn't have anything to say except "oops." Apparently he used to be a doctor. Used to be.
AI has already (Score:1)
Re: (Score:2)
My /etc/hosts file is fine, thank you.
Ducky (Score:2)
Re: (Score:2)
Wasn't that just Bing falling over?
Duckduckgo uses Bing for searches, and their front page was fine but search pages failed.
As well as Copilot internet searches (also using Bing apparently) and Bing itself.