[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
drc at virtualized.org
Wed May 21 14:36:27 UTC 2008
On May 20, 2008, at 11:54 PM, Roland Dobbins wrote:
> On May 21, 2008, at 1:46 PM, Kurt Erik Lindqvist wrote:
>> I have my doubts about fixing things in code.
> Don't fix it in code, per se; fix it in defaults (yes, this often
> amounts to the same thing, but it's certainly preferable to harcoding
> some value).
You are aware, of course, that at least two caching name servers have
the IP addresses in code already, right?
> Make use of a publish/subscribe model (in-band or out-of-
> band) to manage any necessary transitions.
And invent a new protocol, implement it, redeploy every caching server
on the planet, watch for security bugs, etc.
If we're done knee jerking, what I'm suggesting is that we fix the IP
addresses for the root servers so that they no longer change. If
there is need to change a root server _OPERATOR_, the registrant for
the IP address changes. You don't go and require changes to every
bloody caching server on the planet.
More information about the dns-operations