[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Tue May 20 15:02:59 UTC 2008

Or, you permanently lock down a set of provider independent DNS root  
service /32s and /128s (reducing the risk of prefix hijack by someone  
announcing a more specific) in a DNSOP BCP, allowing folks to  
configure filters to ensure announcements for those /32s are blocked  
and are coming from the "correct" ASes.  Figuring out how to  
(securely) change everyone's caching server configuration remotely  
would no longer be an issue.

My personal view is that root service, which is _unique_ because of  
the bootstrap problem, should NOT be associated with particular  
organizations that provide that service, but rather the address at  
which root service can be found.  Renumbering root servers is just too  
fraught with peril.


On May 20, 2008, at 5:36 AM, Florian Weimer wrote:

> With my spare-time vendor hat on, I wonder if future transitions might
> face similar issues.  In that case, it might make sense to provide a
> signed, vendor-specific list of the current root servers, so that they
> can be changed automatically without a software upgrade (or a
> configuration change).
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list