root hints
Mark Andrews
marka at isc.org
Sat Jan 29 15:11:51 UTC 2011
In message <barmar-A10CC5.23122928012011 at news.eternal-september.org>, Barry Mar
golin writes:
> In article <mailman.1562.1296270623.555.bind-users at lists.isc.org>,
> Joseph S D Yao <jsdy at tux.org> wrote:
>
> > [This does leave a security hole - if a root name server's IP changes,
> > and a Bad Guy gets the old one; or on another internet, if the Bad Guy
> > gets all the IP addresses in the default file. It's not just lust for
> > control that has me using a visible root hints file.]
>
> I'm sure the folks who run these networks are quite aware of this
> danger. If a root server changes, I'll bet it will be several years
> before the old address goes to some other organization.
>
> How would a Bad Guy get these blocks, anyway? Since when do
> organizations return IP blocks.
>
> And if you check the registrations, several of them are assigned
> specifically to reserve the blocks for root servers. Presumably the
> intent is that even if the organizations operating them change, the IPs
> shouldn't -- they simply route the IPs to someone else.
>
> inetnum: 202.12.27.0 - 202.12.27.255
> netname: NSPIXP-2
> descr: root DNS server
>
> NetRange: 199.7.83.0 - 199.7.83.255
> CIDR: 199.7.83.0/24
> OriginAS: AS20144
> NetName: L-ROOT
>
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
And one can always turn on DNSSEC and then it doesn't matter which server
gives you the information.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list