[dns-operations] Domain Name System without Root Servers

George Michaelson ggm at algebras.org
Mon Oct 2 23:24:56 UTC 2017


The hypothetical "have you tried turning it off, and turning it back
on" attack with no hysteresis in the DNS is only hypothetical. if you
have a tin-can and string network, and can reach out from your island,
you can reconnect and re-establish glue logic state. Australia did
this several times, when the sat comms were unreliable: KRE ran the
9600 backup IP link which almost exclusively permitted port 53 from
munnari.oz.au. to flow to and from the global internet. Its sole
purpose was to prep cache state for the islanded DNS.

So that noted, there is one attack model which is to turn off the big
fat pipe, drain the bits, polish the insides and clean out the muck,
and then turn back on. with no ground state. Otherwise, you have to go
over all 2k TLD, asking them offline to reconstruct a hint, to find
their current state. Thats pretty much what is happening in Haiti
right now.

Or, go fetch one from a convenient place, like ICANN..

-G

On Mon, Oct 2, 2017 at 3:50 PM, Randy Bush <randy at psg.com> wrote:
>> Nice paper, for resolver managers and TLD managers: how to get rid of
>> the root for some TLDs (the system would be opt-in):
>>
>> https://www.vs.uni-due.de/paper/2017_Wander_Rootless_DNS.pdf
>>
>> The idea is to reuse priming (RFC 8109). The resolvers would know the
>> NS and DS resource record sets of TLDs, and use priming to refresh
>> their knowledge. It works as long as a TLD does not change everything
>> at once.
>>
>> The most interesting part of the paper is a survey of the TLD changes
>> in the last four years: most TLD kept at least one IP address of the
>> original set during these four years. So, the idea could work.
>
> read.  it certainly seems realistic.
>
> thanks for the pointer.
>
> randy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list