Re: Last Call: Root Name Server Operational Requirements to BCP

["D. J. Bernstein" <djb@cr.yp.to>]

Randy Bush writes:
> i.e. a resolver does not look up 'a.root-servers.net' to find a root server.

http://cr.yp.to/dnscache/bugtraq/20000123114946-2072-qmail@cr-yp-to

The example shows ns2.netsol.com selectively redirecting a victim's
connections to yahoo.com.

Don't you think it looks rather silly to be putting so much effort into
protecting the real .com servers, when the weak point of the system
actually lies in the mechanism by which those servers are located?

Perhaps you'll say that you don't care whether all the TLDs are broken;
you're just worrying about the root zone. But your document says that
``major zone server operators,'' such as TLD operators, may find it
useful too.

By the way, according to RFC 1818, Best Current Practice documents
``describe best current practices.'' Several of your requirements don't
appear to describe current practices, never mind best current practices.
For example, 3.3.2 says that root servers ``MUST be DNSSEC-capable,''
but NSI says that the current servers would choke if DNSSEC were used.

---Dan