[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Mark Andrews]

	Root server addresses change whether it is private roots
	or global roots.  Part of the job of running a caching
	nameserver is to check for these changes.  Caching nameservers
	should be reporting when the list of nameservers or their
	addresses change.

	Golden addresses are a bad idea as you would then have
	vendors not providing mechanisms to change them.  This would
	cause the operators of private roots to advertise routes
	for their private intances of root servers which would then
	leak causing even more problems.

	DNSSEC won't detect problems at the routing level.
	DNSSEC can detect incoherancy.
	DNSSEC could be used to help automate the update of hints.

	The addresses listed in hints can get any and all questions
	that are directed at real root nameservers.  There is no
	requirement that it is only ./NS.  In fact at a minimum you
	should explect queries for <root-nameserver-name>/<address>
	queries in addition to ./NS queries.  This is no different
	to any parent server getting address queries for glue.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org