[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Edward Lewis Ed.Lewis at neustar.biz
Fri May 23 14:37:53 UTC 2008

At 8:12 -0600 5/23/08, Danny McPherson wrote:

>This seems backwards to me.  Someone asserts reachability
>for a root name server, fields queries to that root, and you're
>saying the burden of proof should be on the community to
>provide "proof" of incoherent answers?    So, I could do the
>same, and so long as my queries are _presumably coherent,
>it's not a problem?

No, that's not the point...the point is that as far as this most 
recent incident was concerned, incoherency was not mentioned until 
the subject post.  As the post started out saying we needed a clear 
description of the problem to solve, I questioned the suggestion that 
there were incoherent responses.

 From all accounts, the responses from the ersatz L root server were 
the same as from the other servers.  While it is possible that 
incoherency could happen in this situation, there is no evidence that 
it did.

Going back to the "what is the problem" - the problem here is that 
the registered holder of the IP space took advantage of the vacancy 
of the root server.  This is a situation that only 13 entities could 
possibly have, but, as Daniel posted regarding the RIPE NCC's server, 
not all 13 will.

It is possible that this is a unique event.  How many other root 
servers are sitting on addresses not registered to the server 
operator?  (I don't know without looking it up.)  In this (possibly) 
unique event, the added spice is that the root server address is 
registered to the operator of a different root server.  And that is 
probably why incoherency didn't happen.

But getting back to the question at hand - I do think there is a 
burden of proof upon the accusers, in general.  I guess what's the 
missing link is that I'm not saying that in this incident there was 
no "guilt" - it's just that there was no evidence of incoherency and 
we shouldn't add to the legend post mortem.  We had something go 
wrong here, incoherency wasn't part of it.
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list