[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Kurt Erik Lindqvist]

	David,

On 21 maj 2008, at 20.41, David Conrad wrote:

> Kurtis,
>
> On May 21, 2008, at 10:33 AM, Kurt Erik Lindqvist wrote:
>>>> Especially for boot-strapping. It just becomes even harder to  
>>>> change the model if we ever have to...
>>> If you change the model, you have to muck with code.
>> My point is that we risk running into all kind of wired behavior in  
>> the future. Take adding AAAA glue. Not all operators are ready for  
>> deploying it at production quality right now.
>
> The BCP would specify the addresses and they would be assigned to  
> root server operators as they are prepared to start using them.
>
> Again, the point is the addresses would be associated with the  
> SERVICE not the OPERATOR.  If a root server operator decided they  
> had better things to do with their lives than answer DNS root  
> queries, we wouldn't have to deal with changing every caching server  
> on the entire planet.  All that would change would be the  
> organization originating the route to the address.

Hmm. I *think* that what you are proposing is more than just an "IANA  
action" or a model that fits into an RFC. I believe this would  
constitute far more reaching change than that. The change described  
above would also mean that IANA could declare a user of said IP  
address no longer the right user. That is quite a change from the  
model of today. That change might or might not be desirable but IMHO  
it's a different topic and will go into a large rathole that I think  
we will do best to avoid.

>> Imagine we come up with something in the future, we then need again  
>> wait for updates of software to propagate. Take the addition of new  
>> RRs or example. TXT seems popular...
>
> You're suggesting that we're going to start putting new RRs, e.g.,  
> TXT in the root hints file?  And this isn't going to require  
> software updates to propagate?

No, I tried to make a bad analogy.

- kurtis -