[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Peter Koch pk at DENIC.DE
Wed May 21 17:22:13 UTC 2008


On Wed, May 21, 2008 at 02:14:36PM +0200, Shane Kerr wrote:

> Looking up [a-m].root-servers.net using DNSSEC would seem to provide a  
> mechanism to do that using existing technology.

well, yes, but last time that was proposed, we were told that the root hints
are no different from referral data, which isn't DNSSEC secured either.
Of course, with DNSSEC it is less important who distributes the answers
as long as these responses validate.

However, if the resolvers would prime as they are expected to, all the
decommissioned L (B, J, you name it) server would see was priming queries.
Since that doesn't seem to be the case, the problem is elsewhere.

-Peter

PS: FWIW, having changed a TLD server's address recently, experiences
    are similar, even though no "hints" are involved.



More information about the dns-operations mailing list