[dns-operations] Domain Name System without Root Servers
Wessels, Duane
dwessels at verisign.com
Mon Oct 2 23:52:42 UTC 2017
Daniel Karrenberg just gave a very interesting/terrifying presentation at DNS-OARC about root priming:
https://indico.dns-oarc.net/event/27/session/5/contribution/21
My point being that this stuff never actually works the way we think its supposed to...
DW
> On Oct 2, 2017, at 4:24 PM, George Michaelson <ggm at algebras.org> wrote:
>
> The hypothetical "have you tried turning it off, and turning it back
> on" attack with no hysteresis in the DNS is only hypothetical. if you
> have a tin-can and string network, and can reach out from your island,
> you can reconnect and re-establish glue logic state. Australia did
> this several times, when the sat comms were unreliable: KRE ran the
> 9600 backup IP link which almost exclusively permitted port 53 from
> munnari.oz.au. to flow to and from the global internet. Its sole
> purpose was to prep cache state for the islanded DNS.
>
> So that noted, there is one attack model which is to turn off the big
> fat pipe, drain the bits, polish the insides and clean out the muck,
> and then turn back on. with no ground state. Otherwise, you have to go
> over all 2k TLD, asking them offline to reconstruct a hint, to find
> their current state. Thats pretty much what is happening in Haiti
> right now.
>
> Or, go fetch one from a convenient place, like ICANN..
>
> -G
>
> On Mon, Oct 2, 2017 at 3:50 PM, Randy Bush <randy at psg.com> wrote:
>>> Nice paper, for resolver managers and TLD managers: how to get rid of
>>> the root for some TLDs (the system would be opt-in):
>>>
>>> https://www.vs.uni-due.de/paper/2017_Wander_Rootless_DNS.pdf
>>>
>>> The idea is to reuse priming (RFC 8109). The resolvers would know the
>>> NS and DS resource record sets of TLDs, and use priming to refresh
>>> their knowledge. It works as long as a TLD does not change everything
>>> at once.
>>>
>>> The most interesting part of the paper is a survey of the TLD changes
>>> in the last four years: most TLD kept at least one IP address of the
>>> original set during these four years. So, the idea could work.
>>
>> read. it certainly seems realistic.
>>
>> thanks for the pointer.
>>
>> randy
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list