[49593] in North American Network Operators' Group
Re: DNS was Re: Internet Vulnerabilities
daemon@ATHENA.MIT.EDU (Randy Bush)
Fri Jul 5 13:03:58 2002
From: Randy Bush <randy@psg.com>
To: Paul Vixie <paul@vix.com>
Cc: Nanog Mailing List <nanog@merit.edu>
Date: Fri, 05 Jul 2002 10:01:31 -0700
Errors-To: owner-nanog-outgoing@merit.edu
> Now that we've seen enough years of experience from Genuity.orig,
> UltraDNS, Nominum, AS112, and {F,K}.root-servers.net, we're seriously
> talking about using anycast for the root server system.
without dnssec, how do we differentiate this from a routing attack
on the roots?
the as112 anycast thingie is fine, as who cares if someone attacks
reverse servers for bogus requsts. attacking bogosity is good. :-)
the decade of sprint, uunet, ... running anycast caching is within
an isp is risky, but they are responsible for their own security and
fate.
beyond that, security and anycast don't mix well without the data
being authenticated, e.g. dnssec.
randy
