root hints operation
Mark Andrews
marka at isc.org
Tue Nov 17 22:22:28 UTC 2015
In message <564BA6E9.2050408 at hireahit.com>, Dave Warren writes:
> On 2015-11-17 14:13, Mark Andrews wrote:
> > In message <564BA3E3.9060008 at hireahit.com>, Dave Warren writes:
> >> On 2015-11-16 18:09, Grant Taylor wrote:
> >>> It's my understanding that ALL of the root servers would have to
> >>> change all of their addresses at the same time for DNS to be impacted.
> >> Or, the IP formerly used as a root server could turn malicious and start
> >> offering an alternate response. This would only impact resolvers that
> >> had outdated root hints, and also happened to try that particular IP
> >> first, but it's at least a theoretical risk.
> > Which is why those addresses get held back from reassignment. It is a
> > known risk that is mitigated.
>
> Understood and agreed, there's little real-world risk, but it's
> important to understand that this risk is mitigated by policy, not by
> technology.
Given the root zone is signed and most of the TLD's are also signed
there is little a rogue operator can do besides causing a DoS if
you validate the returned answers.
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list