[dns-operations] Just another "sitefinder" ISP

Florian Weimer fw at deneb.enyo.de
Thu May 22 11:06:16 UTC 2008

* Paul Vixie:

> now this, on the other hand, is a problem dnssec could actually solve.

Yes, but this is just an accident, and not the result of deliberate
protocol design or operational constraints.

On paper, DNS is a transparent, distributed database.  Kabel Deutschland
makes it non-transparent, currently on the customer's entry point to the
DNS network.  They could do that on the IP entry point as well, arguing
they want to protect customers againt maliciously changed DNS resolvers.
In that case, DNSSEC will probably stop to work properly.  An external
resolver on the unmediated Internet would then be needed, with
communication over (D)TLS, and it does not really matter if that
resolver uses DNSSEC or not.

Using magic addresses for the root servers would only encourage such
tampering.  So I agree that it's not a good idea.

More information about the dns-operations mailing list