[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Shane Kerr Shane_Kerr at isc.org
Wed May 21 12:14:36 UTC 2008


On May 21, 2008, at 14:00 +0200, Edward Lewis wrote:

> At 12:38 +0200 5/21/08, Shane Kerr wrote:
>> Now that we've seen DNS-based problems with the root in the wild,
>> perhaps it is time to consider signing ROOT-SERVERS.NET?
> The knee-jerk reaction to this question, which really isn't a direct  
> answer, is that DNSSEC would have had no bearing on the recent  
> incident.  Because in the incident, the root zone answers were not  
> being altered.  It's as if you asked a cache (but with the AA bit on).
> The problem isn't that the wrong address for L root were being  
> obtained via a query, the problem is that many DNS implementations  
> assume root server addresses (via hard coding or via configuration).  
> These implementations believe the old address is authoritative and  
> thus wouldn't use the RFC 2181 rules to question it.

Clients don't have any trusted way to update root name server  
addresses. If they did, then they could use that.

Looking up [a-m].root-servers.net using DNSSEC would seem to provide a  
mechanism to do that using existing technology.

Root name servers change IP addresses now and then. Why not do a  
really, really easy thing that will make this more secure in the future?


More information about the dns-operations mailing list