[dns-operations] DNS trust dependencies for ICANN TLDs

bert hubert bert.hubert at netherlabs.nl
Thu Jun 11 06:20:27 UTC 2009

On Thu, Jun 11, 2009 at 5:02 AM, Matthew Dempsky<matthew at dempsky.org> wrote:
> I've assembled a collection of graphs of zone and name server trust
> dependencies for each ICANN TLD at
>    http://shinobi.dempsky.org/~matthew/dnstrust/graphs/
> I've heard claims from some TLD operators that extra dependencies are
> actually intentional, but I haven't yet heard any arguments to justify
> that claim.  Can anyone here offer arguments in favor of making TLDs
> dependent name servers other than the ones authoritative for that TLD?

One of the things that would help in the discussion would be if we
could craft a realistic scenario how an attacker would be able to
subvert the DNS based on an out-lying dependency.

So say, this odd server at a university 12 countries away decides to
go rogue - would anyone notice in real life?

And would they notice first because the house of cards came down, or
because we'd spot that server as a bad apple?


More information about the dns-operations mailing list