[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Mark_Andrews at isc.org
Mon May 26 00:55:42 UTC 2008
Root server addresses change whether it is private roots
or global roots. Part of the job of running a caching
nameserver is to check for these changes. Caching nameservers
should be reporting when the list of nameservers or their
Golden addresses are a bad idea as you would then have
vendors not providing mechanisms to change them. This would
cause the operators of private roots to advertise routes
for their private intances of root servers which would then
leak causing even more problems.
DNSSEC won't detect problems at the routing level.
DNSSEC can detect incoherancy.
DNSSEC could be used to help automate the update of hints.
The addresses listed in hints can get any and all questions
that are directed at real root nameservers. There is no
requirement that it is only ./NS. In fact at a minimum you
should explect queries for <root-nameserver-name>/<address>
queries in addition to ./NS queries. This is no different
to any parent server getting address queries for glue.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations