> On Nov 10, 2014, at 12:13 AM, John Levine <jo...@taugh.com> wrote: > >> And isn't there some danger that this "parallel" root becomes an >> attractive target for those who want things to be different than >> what's in the "official" root? That is, in effect, isn't this a plain >> old alternative root? > > I would assume the plan is that the clients use DNSSEC to validate > the responses. > > This doesn't seem notably less secure than the current scheme, given > how many networks "helpfully" reroute DNS traffic already. But my > question about why not just hijack the address of an existing root > stands.
This happens in China (on CERNET I believe): there are a set of root mirrors that hijack most (but not all) of the root IPs. As far as we can tell, the servers are legitimate, returning the proper responses, except that the mirror servers don't support DNSSEC. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
