On Sat, 10 Feb 2007, Pekka Savola wrote: > As Bert mentioned in the next message, the risk of outdated (and therefor > out-of-sync) roots is real.
I just compared the root zone as RedHat shipped it on Fri 07 Sep 2001, with the root zone as published on root-servers.org, and only B and J are different. So even using a 6 year old root zone will work fine in the case of a flat out successfull attack against all root servers. I will buy a beer for everyone on this list who doesn't have 6 year old or newer root zone lying around within two hops of their desktop. (and heck, if those are down, the collateral damage of that attack will cause so much trouble than running with your 6 year old copy of the root zone). So, I think the "risk of outdated roots" is not something that has any operational impact. > Distributing the copies too far would create a > similar situation as already happens when new IP address blocks are taken to > use, and other networks still filter them as "bogons". Experience with bogons > has shown that there are always people who _don't_ update lists such as these > yet still use them, and in the process degrade their users' service. Note that the root zone and the bogon list are quite different issues and shouldn't be compared. Using a six year old root zone has no impact, while a week old bogon list will cause someone somewhere some serious pains. Paul _______________________________________________ DNSOP mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dnsop
