[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Paul Vixie paul at vix.com
Thu May 22 18:12:46 UTC 2008


> 	"golden" addresses are frowned on offically by the IAB.

and by me.

> 	fixing the "problem", can be :
> 
> 	- not renumbering ever again (ISC seems to like this approch,
> 		they can hard-code more prefixes into BIND)

we hard-code root server addresses into BIND9 because ISC's Executive Director
at the time BIND9 was first written, David R. Conrad, felt it was a good idea,
and nobody has complained or shown us why it's bad.  note that these compiled
in hints are only used if there is no "hints file".  and hints of any kind,
whether compiled in or provided in a "hints file", are only used when there
is no cached RRset for ". IN NS".

> 	- come up w/ a new method/protocol

if we had DNSSEC, and automated trust anchor rollover, then we could validate
the incoming ". IN NS" RRset from the network, as well as new DNSKEY values,
and actually rewrite the "hints file".  as long as a server wasn't shut down
(or still in its box from the factory) during lots of successive rollovers or
during a renumbering of all previously known root servers, this would do away
with the problem of "stale hints".

yes, you heard me say it, there is a problem DNSSEC would be at for solving.

but golden addresses is just crazy talk.



More information about the dns-operations mailing list