[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Ed.Lewis at neustar.biz
Fri May 23 15:11:22 UTC 2008
At 8:54 -0600 5/23/08, Danny McPherson wrote:
>It may not have been mentioned here, but it was certainly
>Again, you don't know that any more than I know that incoherency
>did exist, and I think it's fully reasonable to require some level of
>detail from the perpetrator evidencing why incoherency did not
That's true. It's like this - I hear tales of the event, none of
which includes a report of incoherency. Then someone says:
>>Was "believed to be coherent". I'm sure it was, but no one can prove it since
>>any rogue root operator could serve different data to different addresses.
That isn't to me any indication that there was incoherency. (Note:
"I'm sure it was [coherent].") So, my question later was - is anyone
This isn't about guilt/innocence, it's about getting the story right.
Where this is a tipping point for me is - without incoherency, DNSSEC
would not have stopped this. With incoherency, we could point to a
situation that would have been helped by DNSSEC. When I hear someone
say "DNSSEC would solve this" I then have to ask "why?"
>Given that corrupt DNS resolution paths are very nice to have, this
>simply streamlines the model, and root operators OR those that assert
>root identities, should be held to the highest standards in this area. To
>simply assume it didn't happen isn't acceptable.
And to assume the worst is also not acceptable. As engineers we
should be solving real problems, not addressing what we fear might
happen. (Yes, yes, design to capacity and environmental factors and
what not, the 100-year flood plane.) It would be nice to engineer a
perfect world, free from all dangers, but there's not enough time or
money to do that.
In 1995 I was told by an internal customer that "I fear your design
won't support my needs." My response was "I'm an engineer, not a
priest. You'll have to show me what I need to solve for. I don't do
feelings." Heck, I would have liked to give the guy more, but there
are budget constraints to meet.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the dns-operations