The internet root's alright, says Icann

Security experts and root server administrators have defended the security and stability of the internet's root DNS servers following this month's Icann meeting.

Industry has become increasingly concerned about the amount of damage a hacker could do by targeting the Icann root servers.

But Lars-Johan Liman, operations manager of a European root server in Sweden, said that the physical security of the root servers was not really an issue.

"The actual computers that provide the root service are not special, and therefore one does not need to worry about protecting the actual box from destruction," he said.

"A root name server can easily be replaced with another computer, and the new one can be configured in a matter of minutes," he added.

Only "if you take out all root name servers at once" will internet services suffer from reachability problems, said Liman.

Although there are only 13 root DNS servers in total, the fact that "the internet is connectionless" ensures its stability and greatly reduces the threat of disruption by hackers, software vulnerabilities and denial of service attacks.

Liman also slammed possible vulnerabilities in the Bind operating software that runs the servers, saying that root servers use the latest version, which so far is bulletproof.

"The version of Bind that runs on the root name servers is not known to have any security related vulnerabilities. If it did, you can rest assured that we wouldn't run it," he said.

This comment was backed up by Stan Borinski, president of security firm Network Presence, who said "the root servers are running the most secure versions of Bind available. In fact, one of them is run by the chief software architect of Bind."

Liman explained that root server operators monitor several security related information channels, and should a security problem be found in the code, "all root ops are immediately notified so that they can watch their servers even closer, looking for intrusion attempts through the specific vulnerability."

And should an attempt be made to reconfigure the server, an attacker "would face an extremely hard task, and I would deem it close to impossible without the proper access codes," he said.

Borinski also played down the threat of denial of service exposure. "Everything is vulnerable to denial of service attacks simply by being connected to the internet," he said. "Is there room for improvement? Certainly. I don't think any of the root operators would quarrel with that."

The strong resilience of the root DNS backbone was further cited by David Conrad, chief technology officer of DNS host Nominum. Conrad gave a presentation at the Icann conference which found that despite "many misconfigurations, unsafe server implementations and bad operational procedures" on lower level servers, "the DNS is remarkably resilient to a variety of sins and pretty much works despite the state of the infrastructure".

He said that the "oft-quoted '80 per cent of DNS servers misconfigured' is probably wrong. The DNS mostly works," he said.