[dns-operations] DNS trust dependencies for ICANN TLDs

John Kristoff jtk at cymru.com
Thu Jun 11 05:22:13 UTC 2009

On Wed, 10 Jun 2009 20:02:20 -0700
Matthew Dempsky <matthew at dempsky.org> wrote:

> I've assembled a collection of graphs of zone and name server trust
> dependencies for each ICANN TLD at
>     http://shinobi.dempsky.org/~matthew/dnstrust/graphs/


I find this very interesting work and thank you for taking the time to
do this.  I do hope you automate it so your graphs will be current on
at least a weekly basis.  I think its a worthwhile thing to do.

I have a couple of additional thoughts at this late hour (for me
anyway), take that as a hint that I might not be thinking clearly.  :-)

This reminds me of the work and discussion that took place related to
CoDoNS.  If you missed it, here are some relevant links:


Each of the TLDs are also dependent on the root.  There are other
dependencies, such as the routing infrastructure.  Meanwhile, I
wouldn't have said "Having implicit trust dependencies is bad".  That
is kind of obvious really.  As soon as anyone connects to the net
they're creating an implicit trust dependency.  In practice, I don't
think most if any of the TLDs need to panic over this.  I'd recommend
they review the graphs and consider them carefully, but in my
estimation a "fix" might not be as dire as your the web page calls

You probably know this, but there are some ccTLDs that use second level
domains like TLDs, for example, co.uk, ac.uk, etc.  They are not
likely to eliminate a zone just to reduce the dependency graph.

I'd be interested in hearing about any real world cases of this or
related DNS cache poisoning attacks being used in the wild.  I've not
seen any raw data confirming the vulnerability the clever Dan Kaminsky
discovered a short while ago.  I have heard of situations where an
authoritative server gets owned and names it is authoritative get
pointed elsewhere, but nothing as nefarious taking over entire TLDs.
I've asked and I've gotten some "I've seen it", but with no supporting


More information about the dns-operations mailing list