[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Danny McPherson]

On May 23, 2008, at 9:11 AM, Edward Lewis wrote:
>
> Where?

Well, it's implicitly mentioned in the Renesys blog, for
example:

"Everything checked out for our limited tests. So at least the bogus  
name servers might have been providing the correct responses while  
they were in service, which may be why no one noticed a problem."

And I've mentioned it, and it's been mentioned here, and
it was mentioned on the ICANN blog, and...

> That isn't to me any indication that there was incoherency.  (Note:  
> "I'm sure it was [coherent].")  So, my question later was - is  
> anyone reporting incoherency?

If someone changed your resolve.conf file and put a new
resolver in there that you've never seen that may or may
not have been malicious, but no one noticed any type
of "incoherency", then everything is fine?  You might
subscribe to such a thing, I don't.  Then escalate this to
a root level...

Look, you're welcome to ignore this if you want, I don't
choose to.

> This isn't about guilt/innocence, it's about getting the story  
> right. Where this is a tipping point for me is - without  
> incoherency, DNSSEC would not have stopped this.  With incoherency,  
> we could point to a situation that would have been helped by  
> DNSSEC.  When I hear someone say "DNSSEC would solve this" I then  
> have to ask "why?"

Yes, I understand what your agenda is, mine is orthogonal,
although they do appear to be related.

> And to assume the worst is also not acceptable.  As engineers we  
> should be solving real problems, not addressing what we fear might  
> happen.  (Yes, yes, design to capacity and environmental factors and  
> what not, the 100-year flood plane.)  It would be nice to engineer a  
> perfect world, free from all dangers, but there's not enough time or  
> money to do that.

I was focused more along the lines of fundamental security for
end users, not burning DNSSEC.

-danny