In message <barmar-a10cc5.23122928012...@news.eternal-september.org>, Barry Mar golin writes: > In article <mailman.1562.1296270623.555.bind-us...@lists.isc.org>, > Joseph S D Yao <j...@tux.org> wrote: > > > [This does leave a security hole - if a root name server's IP changes, > > and a Bad Guy gets the old one; or on another internet, if the Bad Guy > > gets all the IP addresses in the default file. It's not just lust for > > control that has me using a visible root hints file.] > > I'm sure the folks who run these networks are quite aware of this > danger. If a root server changes, I'll bet it will be several years > before the old address goes to some other organization. > > How would a Bad Guy get these blocks, anyway? Since when do > organizations return IP blocks. > > And if you check the registrations, several of them are assigned > specifically to reserve the blocks for root servers. Presumably the > intent is that even if the organizations operating them change, the IPs > shouldn't -- they simply route the IPs to someone else. > > inetnum: 202.12.27.0 - 202.12.27.255 > netname: NSPIXP-2 > descr: root DNS server > > NetRange: 199.7.83.0 - 199.7.83.255 > CIDR: 199.7.83.0/24 > OriginAS: AS20144 > NetName: L-ROOT > > -- > Barry Margolin, bar...@alum.mit.edu > Arlington, MA > *** PLEASE don't copy me on replies, I'll read them in the group *** > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
And one can always turn on DNSSEC and then it doesn't matter which server gives you the information. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
