> > Why do a rogue server? Why not just have the existing root operators
> > deploy v6 transport capable root servers that are official?
>
> no disagreement there.
>
> > If you feel that it is too risky to do that on the existing hardware ...
>
> obviously you missed the entire discussion. this is not about the usual
> software bugs. it's about cache poisoning of old servers in v4 space.
>
> > I would ask you to state a reason (other than possible expense) why
> > having a couple of "clone servers" run and administered by the same
> > folks running the current roots but on the 6bone and accepting
> > requests over v6 transport could cause an operational problem. What is
> > it, exactly, that we're fearing here?
>
> this was discussed in dnsop, and is in the dnsop minutes. it was discussed
> in ngtrans.
>
> to repeat the presentation:
>
> ----
>
> the v6 directorate and the i* would appreciate if today's dnsop meeting
> would add the following to its agenda:
>
> o if there actually is a need for to experiment with a separate v6 root,
>
> o what is the cache hints and root zone content, and, given that
>
> o what are the possiblity vulnerabilities of the general internet, and if
> there are any
>
> o what are the limits/guidelines needed to prudently protect the net?
>
> an example of a worry is cache poisoning of an antique v4 bind.
A quick look at the code says that AAAA/A6 records won't
be cached. If fact you can use this technique for finger
printing nameservers.
Anti-cache poisoning techniques depend upon ownernames not
type.
The real worry with BIND 4 is that it does not support TCP
retries. So as long a mix of A and A6/AAAA records make
it into the additional section and we don't increase the
answer section things should be ok.
Mark
>
> ----
>
> and there are thousands of vulnerable v4 binds still out there.
>
> randy
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]