[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

[Danny McPherson]

>
> Acting on detection is mostly manual work with ISPs. This will remain
> so until the ISP community have come around to more tight provisioning
> and routing practises.

And there's certainly plenty of work to be done there.

>  Trying to fudge this by introducing "platinum"
> prefixes will not really help with that problem.  Imho it would just
> create more obvious targets.

I'm not sure I agree with the obscurity bit helping with
security here.  While I'm not necessarily a fan of "golden
networks", or "platinum prefixes", or whatever we're
calling them today, I do believe it's sensible for operators
to give some level of preference and special attention
to these root server prefixes, and I do believe that giving
them a bit more attention from a routing system injection
and attribute perspective is a sensible thing.

And while not a fan of deaggregation, I think it's sensible
to announce root address space with more-specific prefixes
(e.g., /24s) than all are currently announced because of
the ease of route hijacking on the Internet.  Not that /24s
fix everything, but they do lessen the pain when a route
is hijacked, regardless of intent.  And I indeed believe that
network operators, root operators and ICANN alike should
be monitoring for routing system changes for root server
prefixes.

Finally, while I believe renumbering of roots shouldn't be
a terribly difficult thing, I'm sympathetic to an argument
that says binding roots to root operator address blocks
makes migrations to new operators more difficult, as well
as purpose built detection tool sets in use by operators
and end sites.

-danny