December 15, 2004

Would NTIA or ICANN Know Internet Instability If It Smacked 'em Upside the Head And Introduced Itself?

Remember how I've been harping on the reckless actions of the US Department of Commerce's NTIA and ICANN in allowing the removal of 15% of IPv4 information and its replacement by IPv6 information?

(If you missed it you can read it in my postings: Driving Blind, Something's Happening But We Don't Know What It Is, Do We Mr. Jones?, Follow-up on my note: An Open Letter to NTIA, ICANN, and IANA, and An Open Letter to NTIA, ICANN, and IANA.

Remember how NTIA and ICANN assured me that they would never allow a change that risks the stability of the net.

Well, despite the absence of any technical evaluation of the risks, such a change was made by NTIA and ICANN.  And now reports of instability have begun to surface.

What has happened is this: With the introduction of IPv6 based name servers, some resolvers running on hosts that have IPv6 enabled (which includes the default settings on many recent releases of Linux) but which don't have actual IPv6 connectivity, seem to be trying to talk to those IPv6 based servers.  It takes time for these never-to-be-answered queries to time out and for the resolver to move on to a usable IPv4 address.  Users perceive delays (four seconds) for names to resolve.

More about this can be found in a posting on the NANOG mailing list and on comp.protocols.dns.bind.

Yesterday I spent about 20 minutes to set up a test to try to reproduce the problem.  I used a spare computer with a single interface.  I used Fedora Core 3 (with up-to-date patches) with IPv4 connectivity and its default IPv6 configuration but no IPv6 connectivity on, or out of, the subnet to which it was attached.  I used bind-9.2.4-2 with its default configuration.  I ran a half dozen informal tests in which I monitored all the packets coming in and out while I started bind afresh and performed queries via the machines' resolver.  I did not observe any attempts to use IPv6 packets - in other words I did not observe the reported misbehavior.  However I did notice that some queries (e.g. dig @localhost generated as many as 46 IPv4-based query and response packets (including queries for AAAA and A6 records.)

For the moment let's assume that the Nanog and comp.protocols.dns.bind reports are accurate and that my inability to reproduce the problem was due to some flaw in my setup or in my methodology.

Now you might say: "Four seconds?  Big deal."  Would you say that if you were using a VOIP phone trying to call for help because your house is burning or your child has stopped breathing?  OK, perhaps that's an extreme case - but it certainly is a foreseeable one.  But at internet speeds, even a few seconds are important - Would you be happy if you lost a bid on e-Bay or lost out on a stock deal because you got stalled by a cascade of these delays?  At the least such delay can be very frustrating.

NTIA conceived and backed ICANN for the specific purpose of protecting the technical stability of the internet.  Both bodies emit large numbers of words asserting that this is what ICANN is for and what ICANN does.  Yet if we look to their actions rather than their words there is no evidence that NTIA and ICANN actually care about assuming actual responsibility and exercising actual oversight to ensure that the internet's DNS actually runs efficiently, reliably, and accurately 24x7x365.

Is NTIA or ICANN even aware of these issues?  Yes they are, but only because I actually called NTIA and, after several days of attempts, spoke to people there.  And I have had e-mail correspondence about this matter with ICANN (which, by the way is not visible on ICANN's correspondence web page.)

Has NTIA or ICANN initiated a study or tried to reproduce the problem?  There is no indication that they have - or that they intend to do so.

We have a dangerous situation.  We have an oversight gap.  There is an absence of management.  Nobody is making sure that the various parts of the Domain Name System are all flying at all, much less that they are safely flying in the same direction.  The Challenger and Columbia disasters showed us what can happen when there are oversight gaps and negligent managers.  NTIA and ICANN have created an undefended vulnerability through which a catastrophic failure, or successful attack, of DNS, and thus of the entire internet, is possible.

It's pretty clear that ICANN's goal is to be the jealous overlord of domain name business practices and products.

And its also pretty clear that the goal of NTIA is to make political brownie points and award itself a gold star for privatization.

It is also quite clear that NTIA and ICANN are reducing the stability of the internet by distracting attention from the absence of coherent supervision over those things that actually affect the reliability, efficiency, and accuracy of the upper layers of the Domain Name System.

We can let NTIA and ICANN live in their fantasy worlds.  NTIA can have its little gold star.  And ICANN can try to defend itself against an increasing number of claims made under an increasing number of national laws that it has become merely a combination of industrial actors who are collaborating among themselves to restrain and restrict the participants in the DNS marketplace and to establish prices and product specifications and devoid of any technical basis for doing so.

In the meantime we do need to establish a responsible authority to ensure that the DNS and IP address allocation systems are being managed and operated safely.  This is a vacuum that must be filled.

Posted by karl at December 15, 2004 8:51 AM