[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Ed.Lewis at neustar.biz
Wed May 21 12:00:17 UTC 2008
At 12:38 +0200 5/21/08, Shane Kerr wrote:
>Now that we've seen DNS-based problems with the root in the wild,
>perhaps it is time to consider signing ROOT-SERVERS.NET?
The knee-jerk reaction to this question, which really isn't a direct
answer, is that DNSSEC would have had no bearing on the recent
incident. Because in the incident, the root zone answers were not
being altered. It's as if you asked a cache (but with the AA bit on).
The problem isn't that the wrong address for L root were being
obtained via a query, the problem is that many DNS implementations
assume root server addresses (via hard coding or via configuration).
These implementations believe the old address is authoritative and
thus wouldn't use the RFC 2181 rules to question it.
DNSSEC would only ensure that responses came from the authority that
signed the data. After the first round of DNSSEC definition (RFC
2065) we gave up on verifying anything "read from disk" assuming host
security took care of that, so DNSSEC doesn't protect configured-in
The incident is a unique case - moving a root server off an address.
Not a lot you can do about that. Even if someone set up a rogue
anycast instance, routing security mechanisms should be in place to
stop that. But trying to deny answers from an address not under
control can't really be stopped.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the dns-operations