[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Danny McPherson danny at tcb.net
Fri May 23 15:57:34 UTC 2008


On May 23, 2008, at 9:33 AM, Edward Lewis wrote:
>
> Unless I am missing something, that doesn't indicate or even hint  
> that there was incoherency.

No, it hints that there could have been, that's my point, and
apparently, where the disconnect is.  You're assuming there
was none, I'm assuming there *could have been*.

> From the ICANN blog (http://blog.icann.org/?p=309):
>
> "ICANN has also been monitoring the results returned by these IP  
> addresses through the entire time it was advertised, and believes it  
> was always providing accurate root responses throughout its  
> existence."
>
> Again, no hint or allegation of incoherency.

"it believes"?  What does that mean?  Is ICANN willing to
testify they are certain that the integrity of all data was
preserved?  How could they do this?  And given that, they
really should not have made the statement above unless
they had access to the system or some mechanism to
ensure this was indeed the case.

The fact that an operator announced reachability for a root
prefix, and responded to queries for that root server, and it
was not 'authorized' to act as that root server, gives me great
reason for alarm.  What if it were pwned and just modified a
single zone for a specific targeted attack, known or unbekownest
to the administrators of that system?  How would you verify that?

> So, I am still asking - did anyone report any incoherency during the  
> L-root incident?

See above.  I care.  I care that it could have.

> I don't see what you are driving towards, that is not at all related  
> to the L-root incident.

It's an analogy that correlates rather closely to this, except that
the host doesn't have to be touched now, just the imposter root.

>  (It's a case of a host security failure allowing system files to be  
> corrupted.)

The point there was that it has lots of security implications, and
now, even without modifying a resolv.conf file, I could should
assert that I'm a root and employ a very similar attack vector.

-danny



More information about the dns-operations mailing list