[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Edward Lewis]

At 12:38 +0200 5/21/08, Shane Kerr wrote:

>Now that we've seen DNS-based problems with the root in the wild,
>perhaps it is time to consider signing ROOT-SERVERS.NET?

The knee-jerk reaction to this question, which really isn't a direct 
answer, is that DNSSEC would have had no bearing on the recent 
incident.  Because in the incident, the root zone answers were not 
being altered.  It's as if you asked a cache (but with the AA bit on).

The problem isn't that the wrong address for L root were being 
obtained via a query, the problem is that many DNS implementations 
assume root server addresses (via hard coding or via configuration). 
These implementations believe the old address is authoritative and 
thus wouldn't use the RFC 2181 rules to question it.

DNSSEC would only ensure that responses came from the authority that 
signed the data.  After the first round of DNSSEC definition (RFC 
2065) we gave up on verifying anything "read from disk" assuming host 
security took care of that, so DNSSEC doesn't protect configured-in 
data.

The incident is a unique case - moving a root server off an address. 
Not a lot you can do about that.  Even if someone set up a rogue 
anycast instance, routing security mechanisms should be in place to 
stop that.  But trying to deny answers from an address not under 
control can't really be stopped.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.