Update: Ben Hyde suggested I should use the (undocumented) “concentrate” option to dot, which certainly tidies up the graphs. So I did.
A remark on the IETF DNS Working Group’s mailing list got me thinking.
Suppose I were the owner of
nordu.net (to pick an example at random), then I could take control of
sunet.se, for about 25% of Internet users, since one of their four nameservers is
server.nordu.net. Similarly, I could then take control of
ripe.net for 25% of those 25% (via
sunic.sunet.se). One in seven of those guys could fall victim to my ownership of
ns-sec.ripe.net, and from there I have complete control of
fr (that is, France) – ok, by now, for only a bit under 1% of the Internet, but even so, that’s kinda worrying, don’t you think? And obviously if I own
sunet.se then it would be more like 3.5%…
On the other hand,
uk does not suffer from this problem: it depends only on
nic.uk. Which seems like a much better idea. Anyway, I got to wondering just how bad this problem actually is, which led to me having more fun with
dot. So, for a taster, here’s France’s dependencies…
And here’s the UK’s
And here’s Fiji (I include this for Jasvir, who is getting married there soon, and ought to know the terrible risk he’s taking)
And all the top level domains put together
So that one is pretty but a bit hard to digest. Obviously the main news is that there are a lot of domains which could interfere with one or more TLDs!
Another way to think about this is to wonder who could pwn the most TLDs? Well, the answer (after the root, of course) is that
net come in equal first with 228 TLDs pwnable. Next up is Affilias, through a variety of domains, including
info, able to control 187 TLDs. After that comes
se (Sweden) with 158 and
uit.no, all able to have a go at 157 TLDs.
Food for thought. Especially if you’re thinking about DNSSEC.