[62278] in North American Network Operators' Group
Re: News of ISC Developing BIND Patch
daemon@ATHENA.MIT.EDU (Simon Waters)
Wed Sep 17 07:54:49 2003
Date: Wed, 17 Sep 2003 12:53:58 +0100
To: Nanog Mailing List <nanog@merit.edu>
From: Simon Waters <Simon@wretched.demon.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
From: Valdis.Kletnieks@vt.edu
>
> To pull a stunt like that at the root, they'd have to get the OTHER 9
> or 10 organizations to buy in, or they'd find themselves outvotes 13
> servers to 2, or whatever the exact numbers are....
- From a purely technical perspective, DNS servers don't run ballots, so
it matters not so much how many servers say something, but what they
say, how long they claim it to be valid for, as well as how quickly they
answer.
It is much easier to give a long lived lie, than a short lived truth, in
the DNS world.
As such any root server operator can potentially hijack a significant
amount (majority?) of Internet traffic, at least if no one notices
something odd, and figures out what is going on too quickly. This is DNS
security 101...
A single rogue root server could be very messy to cleanup after if the
person in control of the rogue server were skilled in the art (and root
server operators are suppose to be so skilled to get the job).
Paul is I suspect the best regular NANOG poster to judge the
trustworthyness of various root server operators. And I am comforted
somewhat by his faith in the Verisign employees tasked with this.
However the whole episode does cast Verisign in a bad light, and IANA
should presumably review whether the company is a suitable contractor. I
for one believe a swift reversal of the Verisign position would earn it
a lot of credit, 900 seconds later and it is all forgotten.
Simon
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/aEtUGFXfHI9FVgYRAjRuAJsG1ZyxvbGaLFJk5ZszS7VF26bppgCfWD/B
oya3kkWpGzgMD7dUsVGtVr4=
=y111
-----END PGP SIGNATURE-----
