[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Wed May 21 21:45:44 UTC 2008


On May 21, 2008, at 11:53 AM, Kurt Erik Lindqvist wrote:
>> Again, the point is the addresses would be associated with the  
>> SERVICE not the OPERATOR.  If a root server operator decided they  
>> had better things to do with their lives than answer DNS root  
>> queries, we wouldn't have to deal with changing every caching  
>> server on the entire planet.  All that would change would be the  
>> organization originating the route to the address.
>
> Hmm. I *think* that what you are proposing is more than just an  
> "IANA action" or a model that fits into an RFC.

No more than RFC 3068 defining the service behind 192.88.99.0/24.

> I believe this would constitute far more reaching change than that.  
> The change described above would also mean that IANA could declare a  
> user of said IP address no longer the right user.

How the addresses are assigned (or reassigned) is an administrative  
matter outside of the scope of a BCP that defines the service behind  
the addresses.

I realize that some (all?) root server operators see this as a threat  
to their Jon-given right to run root servers.  That is not the case.   
There is no assumption that the "golden" addresses would not be  
operated by the existing root server operators.  The determination of  
_who_ runs a root server is not appropriate for definition in an RFC  
(IMHO).

> That is quite a change from the model of today. That change might or  
> might not be desirable but IMHO it's a different topic and will go  
> into a large rathole that I think we will do best to avoid.

Indeed.  I am not suggesting we go down that rathole as it involves  
discussing _many_ layer 9 issues.

I'm suggesting we fix the problem of renumbering root servers.  We can  
either fix it by removing the problem (that is, not renumber) or we  
can come up with a protocol and implement the protocol (and ignore the  
fact that old root server address still get O(100) queries per second  
after 10 years).

Regards,
-drc







More information about the dns-operations mailing list