[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
drc at virtualized.org
Thu May 22 19:43:51 UTC 2008
On May 22, 2008, at 11:12 AM, Paul Vixie wrote:
>> "golden" addresses are frowned on offically by the IAB.
> and by me.
I generally do not like golden addresses and would argue strongly
against fixed addresses for any other purpose, however I believe in
this specific case, because of the bootstrapping problem and because
of the demonstrated difficulty in renumbering, their benefits outweigh
If you have some specific concern about golden addresses for the
priming query, would you mind explaining?
> we hard-code root server addresses into BIND9 because ISC's
> Executive Director
> at the time BIND9 was first written, David R. Conrad, felt it was a
> good idea,
Actually, no. I was neutral. The _entire_ engineering staff doing
BINDv9 development felt it was a better solution since the root hints
are, for all intents and purposes, hardcoded in the Internet
operational architecture and BIND gets updated far more frequently
than those addresses change.
>> - come up w/ a new method/protocol
> if we had DNSSEC, and automated trust anchor rollover,
You forgot a rather important constraint:
and you could convince the folks who, after ten years, still send
O(100) queries per second to old root server addresses to upgrade to a
name server that (a) does both of these,
> then we could validate ...
As I've said, I'm quite skeptical that DNSSEC is a solution to this
> but golden addresses is just crazy talk.
More information about the dns-operations