[dns-operations] [Ext] K-root in CN leaking outside of CN

Paul Hoffman paul.hoffman at icann.org
Sat Nov 6 20:25:52 UTC 2021


On Nov 6, 2021, at 10:59 AM, Manu Bretelle <chantr4 at gmail.com> wrote:
> 
> Yeah, agreed, "kind of" is probably not the right term to use. I essentially did not care in this specific example of any impersonation which is why I added "but I will not focus on the ones returning the correct answer (e.g 185.89.219.12)".

I usually try to not speak for other people, but *many* of us on this list care very much about the difference between a route leak for a root server instance and a harmful impersonation. Today's widespread use of anycast by root servers makes route leaks almost insignificant; given the low rate of DNSSEC validation, any impersonation can be quite important.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/9ee1304e/attachment-0001.bin>


More information about the dns-operations mailing list