[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Simon Waters]

On Thursday 22 May 2008 13:32, Edward Lewis wrote:
> At 14:10 +0800 5/22/08, Joao Damas wrote:
> >if DNSSEC was in use then the origin of the data wouldn't matter, and
> >that includes the root zone.
>
> During the incident, the data returned was coherent with the rest of
> the root servers,

Was "believed to be coherent". I'm sure it was, but no one can prove it since 
any rogue root operator could serve different data to different addresses.

But it depends whether you think the "incident" is people asking a server that 
they shouldn't because it is removed (due to poor maintenance of their root 
hints - I suspect I'm guilty here since my preferred OS release cycle is 
slower than the 6 month announcements - or broken DNS resolvers), or that 
they accepted and believed the answers they received uncritically.

I think folks need to be clear what problem they are trying to solve. I was 
trying to address the how we know answers purporting to be from root (or 
hints) servers aren't lying issue. Which is different from stopping things 
purporting to be root servers (or stopping things intercepting or forging 
traffic from root servers). I'd argue this is probably the most useful 
problem to solve, especially if it generalises to other zones.

> so the origin wasn't an issue.  (Harking back to 
> why DNSSEC wasn't the solution to this incident.)

I said encryption not DNSSEC. I don't know enough about the details of DNSSEC 
to say if it would fix a case of a rogue server in a root hints, since I 
don't know how it establishes the trust of "." initially. I assume to do this 
securely there would need to be some sort of out of band verification of the 
key signing the root zone.