[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
drc at virtualized.org
Tue May 20 15:02:59 UTC 2008
Or, you permanently lock down a set of provider independent DNS root
service /32s and /128s (reducing the risk of prefix hijack by someone
announcing a more specific) in a DNSOP BCP, allowing folks to
configure filters to ensure announcements for those /32s are blocked
and are coming from the "correct" ASes. Figuring out how to
(securely) change everyone's caching server configuration remotely
would no longer be an issue.
My personal view is that root service, which is _unique_ because of
the bootstrap problem, should NOT be associated with particular
organizations that provide that service, but rather the address at
which root service can be found. Renumbering root servers is just too
fraught with peril.
On May 20, 2008, at 5:36 AM, Florian Weimer wrote:
> With my spare-time vendor hat on, I wonder if future transitions might
> face similar issues. In that case, it might make sense to provide a
> signed, vendor-specific list of the current root servers, so that they
> can be changed automatically without a software upgrade (or a
> configuration change).
> dns-operations mailing list
> dns-operations at lists.oarci.net
More information about the dns-operations