[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Edward Lewis Ed.Lewis at neustar.biz
Fri May 23 15:11:22 UTC 2008

At 8:54 -0600 5/23/08, Danny McPherson wrote:

>It may not have been mentioned here, but it was certainly
>mentioned elsewhere.


>Again, you don't know that any more than I know that incoherency
>did exist, and I think it's fully reasonable to require some level of
>detail from the perpetrator evidencing why incoherency did not

That's true.  It's like this - I hear tales of the event, none of 
which includes a report of incoherency.  Then someone says:

>>Was "believed to be coherent". I'm sure it was, but no one can prove it since
>>any rogue root operator could serve different data to different addresses.

That isn't to me any indication that there was incoherency.  (Note: 
"I'm sure it was [coherent].")  So, my question later was - is anyone 
reporting incoherency?

This isn't about guilt/innocence, it's about getting the story right. 
Where this is a tipping point for me is - without incoherency, DNSSEC 
would not have stopped this.  With incoherency, we could point to a 
situation that would have been helped by DNSSEC.  When I hear someone 
say "DNSSEC would solve this" I then have to ask "why?"

>Given that corrupt DNS resolution paths are very nice to have, this
>simply streamlines the model, and root operators OR those that assert
>root identities, should be held to the highest standards in this area.  To
>simply assume it didn't happen isn't acceptable.

And to assume the worst is also not acceptable.  As engineers we 
should be solving real problems, not addressing what we fear might 
happen.  (Yes, yes, design to capacity and environmental factors and 
what not, the 100-year flood plane.)  It would be nice to engineer a 
perfect world, free from all dangers, but there's not enough time or 
money to do that.


In 1995 I was told by an internal customer that "I fear your design 
won't support my needs."  My response was "I'm an engineer, not a 
priest.  You'll have to show me what I need to solve for.  I don't do 
feelings."  Heck, I would have liked to give the guy more, but there 
are budget constraints to meet.

Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list