[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Wed May 21 14:36:27 UTC 2008

On May 20, 2008, at 11:54 PM, Roland Dobbins wrote:
> On May 21, 2008, at 1:46 PM, Kurt Erik Lindqvist wrote:
>> I have my doubts about fixing things in code.
> Don't fix it in code, per se; fix it in defaults (yes, this often
> amounts to the same thing, but it's certainly preferable to harcoding
> some value).

You are aware, of course, that at least two caching name servers have  
the IP addresses in code already, right?

> Make use of a publish/subscribe model (in-band or out-of-
> band) to manage any necessary transitions.

And invent a new protocol, implement it, redeploy every caching server  
on the planet, watch for security bugs, etc.

If we're done knee jerking, what I'm suggesting is that we fix the IP  
addresses for the root servers so that they no longer change.  If  
there is need to change a root server _OPERATOR_, the registrant for  
the IP address changes.  You don't go and require changes to every  
bloody caching server on the planet.


More information about the dns-operations mailing list