[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Edward Lewis Ed.Lewis at neustar.biz
Fri May 23 15:33:27 UTC 2008

At 9:22 -0600 5/23/08, Danny McPherson wrote:

>Well, it's implicitly mentioned in the Renesys blog, for
>"Everything checked out for our limited tests. So at least the bogus name
>servers might have been providing the correct responses while they were in
>service, which may be why no one noticed a problem."

Unless I am missing something, that doesn't indicate or even hint 
that there was incoherency.

>And I've mentioned it, and it's been mentioned here, and
>it was mentioned on the ICANN blog, and...

 From the ICANN blog (http://blog.icann.org/?p=309):

"ICANN has also been monitoring the results returned by these IP 
addresses through the entire time it was advertised, and believes it 
was always providing accurate root responses throughout its 

Again, no hint or allegation of incoherency.

So, I am still asking - did anyone report any incoherency during the 
L-root incident?

>If someone changed your resolve.conf file and put a new
>resolver in there that you've never seen that may or may
>not have been malicious, but no one noticed any type
>of "incoherency", then everything is fine?  You might
>subscribe to such a thing, I don't.  Then escalate this to
>a root level...
>Look, you're welcome to ignore this if you want, I don't
>choose to.

I don't see what you are driving towards, that is not at all related 
to the L-root incident.  (It's a case of a host security failure 
allowing system files to be corrupted.)

>I was focused more along the lines of fundamental security for
>end users, not burning DNSSEC.

I'm not burning DNSSEC.  I'm just pointing out that it is not the 
tool for the L-root incident (as was suggested by an earlier post).
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list