[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
simonw at zynet.net
Thu May 22 13:25:06 UTC 2008
On Thursday 22 May 2008 13:32, Edward Lewis wrote:
> At 14:10 +0800 5/22/08, Joao Damas wrote:
> >if DNSSEC was in use then the origin of the data wouldn't matter, and
> >that includes the root zone.
> During the incident, the data returned was coherent with the rest of
> the root servers,
Was "believed to be coherent". I'm sure it was, but no one can prove it since
any rogue root operator could serve different data to different addresses.
But it depends whether you think the "incident" is people asking a server that
they shouldn't because it is removed (due to poor maintenance of their root
hints - I suspect I'm guilty here since my preferred OS release cycle is
slower than the 6 month announcements - or broken DNS resolvers), or that
they accepted and believed the answers they received uncritically.
I think folks need to be clear what problem they are trying to solve. I was
trying to address the how we know answers purporting to be from root (or
hints) servers aren't lying issue. Which is different from stopping things
purporting to be root servers (or stopping things intercepting or forging
traffic from root servers). I'd argue this is probably the most useful
problem to solve, especially if it generalises to other zones.
> so the origin wasn't an issue. (Harking back to
> why DNSSEC wasn't the solution to this incident.)
I said encryption not DNSSEC. I don't know enough about the details of DNSSEC
to say if it would fix a case of a rogue server in a root hints, since I
don't know how it establishes the trust of "." initially. I assume to do this
securely there would need to be some sort of out of band verification of the
key signing the root zone.
More information about the dns-operations