* na...@as397444.net (Matt Corallo) [Sun 18 Jun 2023, 19:12 CEST]:
If its not useful, please describe a mechanism by which an average
recursive resolver can be protected against someone hijacking C root
on Hurricane Electric (which doesn't otherwise have the announcement
at all, last I heard) and responding with bogus data?
No comment on DNSSEC but lg.he.net indicates that they do in fact
carry a route to C-root:
---
1 76 ms * * port-channel2.core2.pao1.he.net (72.52.92.65)
2 44 ms 63 ms 78 ms palo-b24-link.ip.twelve99.net (195.12.255.209)
3 55 ms 66 ms 103 ms cogent-ic-344188.ip.twelve99-cust.net
(62.115.174.65)
4 74 ms 57 ms 120 ms be2431.ccr41.sjc03.atlas.cogentco.com
(154.54.88.189)
5 142 ms 99 ms 79 ms be3142.ccr21.sjc01.atlas.cogentco.com
(154.54.1.193)
6 53 ms 75 ms 111 ms be3176.ccr41.lax01.atlas.cogentco.com
(154.54.31.189)
7 82 ms 133 ms 85 ms te0-0-2-0.c-root.lax01.atlas.cogentco.com
(154.54.27.138)
8 60 ms 152 ms 84 ms c.root-servers.net (192.33.4.12)
Entry cached for another 60 seconds. 2023-06-18 17:57:17 UTC
---
I don't see any ROAs for AS2149's two originated prefixes, though:
https://irrexplorer.nlnog.net/prefix/192.33.4.0/24 so hijacks might
still be easier than they could be.
Regards
-- Niels.