[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Simon Waters simonw at zynet.net
Wed May 21 08:38:24 UTC 2008

On Wednesday 21 May 2008 08:53, Stephane Bortzmeyer wrote:
> On Mon, May 19, 2008 at 09:37:19PM -0700,
>  David Conrad <drc at virtualized.org> wrote
>  a message of 47 lines which said:
> > http://blog.icann.org/?p=309
> As I read it, it says "Bill Manning did something wrong".

Bill has suggested that parts of ICANN were aware. So I'll reserve judgement 
till people calm down.

> Now, this raises an interesting side issue: the very same Bill Manning
> operates a root name server, B. Which means that, in one way, ICANN
> trusts him, while saying publically everywhere that he screwed up.

As far as everyone is aware he arranged that the answers given were the same 
as they always had been. So it may be a managerial/contractual screw-up, but 
from a technical perspective it is a non-event. No one got hurt, nothing to 
see here.

ICANN have tolerated far worse "abuses" from TLD providers.

> What will happen should a root name server operator start to
> misbehave?

Presumably ICANN will drop them from the root zone. At which point those that 
fail to update their hints will have the same issue again. If we "fix" the 
root server IP addresses all it does is move the problem to the routing 
layer, the nature of the problem itself doesn't change. It goes from "do I 
trust this IP address to provide root server answers" to "do I trust this 
routing announcement". Arguably it might remove one layer from the issue, but 
the issue is essentially unchanged. 

Ultimately the issue is improved by applying cryptography to the name system, 
then we only need to worry about what the data says and how timely it is, not 
how it got to us. Did the DNSSEC folk address replay attacks?

More information about the dns-operations mailing list