On 9-Feb-2007, at 10:55, Edward Lewis wrote:
At 15:20 +0100 2/9/07, Stephane Bortzmeyer wrote:
There is a thread on the CircleID information site:
http://www.circleid.com/posts/attack_internet_root_servers/
which, in the light of this week's attack on root name servers,
suggest to keep a local copy of the root zone.
To add to "what I've heard in the past to do" list:
Also keep a list of the IP addresses of the root servers, the
originating AS numbers, and maybe even copies of "normal" traceroutes.
One thing you typically don't get if you're running your own stealth
root nameservers is TSIG-signed access to the zone data. This seems
like it introduces an additional attack vector for someone who wants
to subvert the root zone; you could announce a bogus route which
covers a root server's address, answer AXFR requests for a short
period with a bogus zone, then withdraw the route; the hijack window
required might be relatively short, and the bogus zone might persist
in those nameservers which retrieved it for a long time.
[This seems different to the problem of unauthenticated answers from
root servers being subverted and replaced by men in the middle; that
approach doesn't allow additional records to be added, whereas
serving a bogus zone via AXFR does.]
I also don't know of any formal undertaking by any of the current
"real" root nameserver operators to leave un-authenticated [AI]XFR
access to their servers for the root zone open, so there's the
operational issue of needing to verify regularly that transfers to
the stealth slave are succeeding.
I was surprised that there is apparently no formal document, either
RFC or else, on this subject "Local copy of the root zone considered
harmful | good". Did I miss something?
I don't think anything so definitive on the topic would exist.
Would, or should?
Joe
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
