[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

David Conrad drc at virtualized.org
Thu May 22 19:43:51 UTC 2008

On May 22, 2008, at 11:12 AM, Paul Vixie wrote:
>> 	"golden" addresses are frowned on offically by the IAB.
> and by me.

I generally do not like golden addresses and would argue strongly  
against fixed addresses for any other purpose, however I believe in  
this specific case, because of the bootstrapping problem and because  
of the demonstrated difficulty in renumbering, their benefits outweigh  
their drawbacks.

If you have some specific concern about golden addresses for the  
priming query, would you mind explaining?

> we hard-code root server addresses into BIND9 because ISC's  
> Executive Director
> at the time BIND9 was first written, David R. Conrad, felt it was a  
> good idea,

Actually, no.  I was neutral.  The _entire_ engineering staff doing  
BINDv9 development felt it was a better solution since the root hints  
are, for all intents and purposes, hardcoded in the Internet  
operational architecture and BIND gets updated far more frequently  
than those addresses change.

>> 	- come up w/ a new method/protocol
> if we had DNSSEC, and automated trust anchor rollover,

You forgot a rather important constraint:

and you could convince the folks who, after ten years, still send  
O(100) queries per second to old root server addresses to upgrade to a  
name server that (a) does both of these,

> then we could validate ...

As I've said, I'm quite skeptical that DNSSEC is a solution to this  
particular problem.

> but golden addresses is just crazy talk.



More information about the dns-operations mailing list