The Internet runs on two fragile technologies: BGP connections among routers, and a bunch of root DNS servers deployed around the planet. How much longer do you think this setup could still be effective?
Bill Cheswick: For quite a while, actually, though there are obvious, well-known weaknesses with both systems. The DNS root servers appear to be 13 hosts, but are actually many more. They have been under varying, continual, low-level attacks for many years, a process that tends to toughen the defenses and make them quite robust. A few years ago there was a strong attack on the root servers, taking 9 of the 13 down at some point.
There are other root servers, of course. Anyone can run one, it is just a question of getting people to use it. I understand that China is proceeding with root servers of their own. DNSSEC is a way to get the right DNS answer, but its deployment has had problems for at least 10 years.
BGP is certainly another network issue. Where should my routers forward packets to? BGP distributes this information throughout the Internet. There are two problems here: 1) is the distribution working correctly, and 2) are the other players sending the correct information in the first place. This is usually an easy problem between an ISP and their customer. The customer is only allowed to announce certain routes, and the ISP filters these announcements to enforce the restriction. It is easy on a short list of announcements.
But at the peering point with other ISPs, this becomes hard, because there are hundreds of thousands of routes, and it isn't clear which is which. Should I forward packets for Estonia to router A or router B? We are far removed from the places where these answers are known.