Moin! > On 10 Nov 2014, at 16:49, Brian Dickson <brian.peter.dick...@gmail.com> wrote: > > The addresses associated with those names ( [a-m].root-servers.net ) are > replaceable in a way which is undetectable and unprotected by DNSSEC. > > Thus, there is no need to hijack BGP routes. There is not even a requirement > that 13 unique addresses be used. The same single address could be served up > for all 13 entries (as glue data). > > In that respect, arguably the proposal is kind of moot. > > (On the other hand, I think this demonstrates the weakness of not pushing for > splitting the original "NS" into two different RR types (parent NS and child > NS), and making the authority for each the respective owner, and having the > owners signing them.) > > I'd prefer to live in a world where BGP hijacking WAS necessary, and where > the root server addresses were signed, authoritatively served from within the > root zone directly (with no delegations). Why. What matters if the content of the root zone aka the delegations to TLDs. All of these are signed if they use DNSSEC and that's the case for most TLDs. It really doesn't matter where the root zone is served from, quite the opposite. IMHO we should spread it as widely as possible right into the recursive resolvers.
With DNSSEC any modification (malicious or not) can be detected so the actual packet origin doesn't matter. The data origin/authenticity is what we care about. So long -Ralf --- Ralf Weber e: d...@fl1ger.de _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
