[dns-operations] DNS trust dependencies for ICANN TLDs
bert hubert
bert.hubert at netherlabs.nl
Thu Jun 11 06:20:27 UTC 2009
On Thu, Jun 11, 2009 at 5:02 AM, Matthew Dempsky<matthew at dempsky.org> wrote:
> I've assembled a collection of graphs of zone and name server trust
> dependencies for each ICANN TLD at
>
> http://shinobi.dempsky.org/~matthew/dnstrust/graphs/
>
> I've heard claims from some TLD operators that extra dependencies are
> actually intentional, but I haven't yet heard any arguments to justify
> that claim. Can anyone here offer arguments in favor of making TLDs
> dependent name servers other than the ones authoritative for that TLD?
One of the things that would help in the discussion would be if we
could craft a realistic scenario how an attacker would be able to
subvert the DNS based on an out-lying dependency.
So say, this odd server at a university 12 countries away decides to
go rogue - would anyone notice in real life?
And would they notice first because the house of cards came down, or
because we'd spot that server as a bad apple?
Bert
More information about the dns-operations
mailing list