[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
David Conrad
drc at virtualized.org
Thu May 22 14:29:48 UTC 2008
Florian,
On May 22, 2008, at 4:00 AM, Florian Weimer wrote:
> Most end user systems don't use the IPPROTO_DNS constant there; the
> port
> is configurable and 53 is just the default.
In several DNS server implementations today, you do not need a hints
_file_. The hints are encoded in the binary. You _can_ have a hints
file that overrides the built in hints if you want to (say) point to
internal root servers or something.
> This is not just an academic observation.
No, it is a strawman. I'm not suggesting you make the ability to
change the 'default' a crime against humanity. I'm suggesting that
since it is so hard to change root server addresses, we remove the
need to.
Unfortunately, some root server operators see the idea of making it
easier to disassociate the address with the organization providing
root service and re-associate it with a different organization as a
threat. Perhaps this is understandable since it is much nicer to not
have to be formally accountable to anyone, less of a burden to operate
in non-transparent and non-open ways, more fun to have secret
meetings, etc.
However, as I've said, I'm not suggesting anything as radical as
making the root server operators accountable, open, and transparent.
All I am suggesting is that we deal with the operational and security
risks associated with the change of root server addresses.
Regards,
-drc
More information about the dns-operations
mailing list