[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Thu May 22 14:29:48 UTC 2008


On May 22, 2008, at 4:00 AM, Florian Weimer wrote:
> Most end user systems don't use the IPPROTO_DNS constant there; the  
> port
> is configurable and 53 is just the default.

In several DNS server implementations today, you do not need a hints  
_file_.  The hints are encoded in the binary.  You _can_ have a hints  
file that overrides the built in hints if you want to (say) point to  
internal root servers or something.

> This is not just an academic observation.

No, it is a strawman.  I'm not suggesting you make the ability to  
change the 'default' a crime against humanity.  I'm suggesting that  
since it is so hard to change root server addresses, we remove the  
need to.

Unfortunately, some root server operators see the idea of making it  
easier to disassociate the address with the organization providing  
root service and re-associate it with a different organization as a  
threat.  Perhaps this is understandable since it is much nicer to not  
have to be formally accountable to anyone, less of a burden to operate  
in non-transparent and non-open ways, more fun to have secret  
meetings, etc.

However, as I've said, I'm not suggesting anything as radical as  
making the root server operators accountable, open, and transparent.   
All I am suggesting is that we deal with the operational and security  
risks associated with the change of root server addresses.


More information about the dns-operations mailing list