To:
hardie@equinix.com, lindberg@cdg.chalmers.se (Gunnar Lindberg)
Cc:
dnsop@cafax.se
From:
Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date:
Sun, 22 Aug 1999 03:09:57 +0200
In-Reply-To:
<199908192248.PAA01033@kiwi.equinix.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: I-D ACTION:draft-lindberg-dnsop-isp-root-server-00.txt
At 15:48 19.08.99 -0700, hardie@equinix.com wrote: > > > > How do you know which "[a-m].root-servers.net" there are? > > > > My proposal is: > > > > 1) Don't. Use today's unicast routing as is. Simplicity. Good. > > > > 2) Let ISPs run RSs and let their customers be aware of reality. > > Tell customers that NS(.) = > > rs1.their.provider [1.2.3.45] > > rs2.their.provider [1.2.4.56] > > rs3.their.provider [1.2.5.67] > >The problem here is that they are not really roots. They derive their >data from what you call "Real Root Servers" and they act as a new >level in the hierarchy which is not reflected in the notation. If I >understand your proposal correctly, rs1.their.provider would have to >respond to an SOA request by claiming to be authoritative for . to >avoid having internal servers just query up the chain to the Real Root >Servers. That seems to imply that they would have to re-write the data >they get from the Real Root Servers to claim that authority. That >pretty much makes them an active man in the middle attack and open to >all sorts of problems, including a pretty easy form of splintering. I don't get this - is any software anywhere actually routing queries to the nameserver named in the SOA record? I know for a fact that some zones have a nameserver in their SOA that isn't in their NS list (the case where I know why, it's because the Real Master is behind a dialup link, but still with a fixed IP addr) If not, I'd say that this distinction is part of the solution, not part of the problem; where the info comes from is SOA, where you get it from is NS. The problem of who signs the NS set is a nasty one anyway. Harald -- Harald Tveit Alvestrand, Maxware, Norway Harald.Alvestrand@maxware.no