[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
simonw at zynet.net
Wed May 21 08:38:24 UTC 2008
On Wednesday 21 May 2008 08:53, Stephane Bortzmeyer wrote:
> On Mon, May 19, 2008 at 09:37:19PM -0700,
> David Conrad <drc at virtualized.org> wrote
> a message of 47 lines which said:
> > http://blog.icann.org/?p=309
> As I read it, it says "Bill Manning did something wrong".
Bill has suggested that parts of ICANN were aware. So I'll reserve judgement
till people calm down.
> Now, this raises an interesting side issue: the very same Bill Manning
> operates a root name server, B. Which means that, in one way, ICANN
> trusts him, while saying publically everywhere that he screwed up.
As far as everyone is aware he arranged that the answers given were the same
as they always had been. So it may be a managerial/contractual screw-up, but
from a technical perspective it is a non-event. No one got hurt, nothing to
ICANN have tolerated far worse "abuses" from TLD providers.
> What will happen should a root name server operator start to
Presumably ICANN will drop them from the root zone. At which point those that
fail to update their hints will have the same issue again. If we "fix" the
root server IP addresses all it does is move the problem to the routing
layer, the nature of the problem itself doesn't change. It goes from "do I
trust this IP address to provide root server answers" to "do I trust this
routing announcement". Arguably it might remove one layer from the issue, but
the issue is essentially unchanged.
Ultimately the issue is improved by applying cryptography to the name system,
then we only need to worry about what the data says and how timely it is, not
how it got to us. Did the DNSSEC folk address replay attacks?
More information about the dns-operations