[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Danny McPherson danny at tcb.net
Fri May 23 14:54:32 UTC 2008 

On May 23, 2008, at 8:37 AM, Edward Lewis wrote:
>
> No, that's not the point...the point is that as far as this most  
> recent incident was concerned, incoherency was not mentioned until  
> the subject post.  As the post started out saying we needed a clear  
> description of the problem to solve, I questioned the suggestion  
> that there were incoherent responses.

It may not have been mentioned here, but it was certainly
mentioned elsewhere.

> From all accounts, the responses from the ersatz L root server were  
> the same as from the other servers.  While it is possible that  
> incoherency could happen in this situation, there is no evidence  
> that it did.

But is there evidence that it did not?

> Going back to the "what is the problem" - the problem here is that  
> the registered holder of the IP space took advantage of the vacancy  
> of the root server.  This is a situation that only 13 entities could  
> possibly have, but, as Daniel posted regarding the RIPE NCC's  
> server, not all 13 will.
>
> It is possible that this is a unique event.  How many other root  
> servers are sitting on addresses not registered to the server  
> operator?  (I don't know without looking it up.)  In this (possibly)  
> unique event, the added spice is that the root server address is  
> registered to the operator of a different root server.  And that is  
> probably why incoherency didn't happen.

Assuming it didn't.  I care that it could have, not whether it
did or not.

> But getting back to the question at hand - I do think there is a  
> burden of proof upon the accusers, in general.  I guess what's the  
> missing link is that I'm not saying that in this incident there was  
> no "guilt" - it's just that there was no evidence of incoherency and  
> we shouldn't add to the legend post mortem.  We had something go  
> wrong here, incoherency wasn't part of it.

Again, you don't know that any more than I know that incoherency
did exist, and I think it's fully reasonable to require some level of
detail from the perpetrator evidencing why incoherency did not
exist.

Given that corrupt DNS resolution paths are very nice to have, this
simply streamlines the model, and root operators OR those that assert
root identities, should be held to the highest standards in this  
area.  To
simply assume it didn't happen isn't acceptable.

-danny

More information about the dns-operations mailing list