To:
Randy Bush <randy@psg.com>
Cc:
"Perry E. Metzger" <perry@wasabisystems.com>, Jim Bound <seamus@bit-net.com>, users@ipv6.org, dns op wg <dnsop@cafax.se>, ngtrans@sunroof.eng.sun.com
From:
Mark.Andrews@nominum.com
Date:
Thu, 18 Jan 2001 18:56:18 +1100
In-reply-to:
Your message of "Wed, 17 Jan 2001 22:39:15 -0800." <E14J8j5-000JOh-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: IPv6 dns
> > Why do a rogue server? Why not just have the existing root operators > > deploy v6 transport capable root servers that are official? > > no disagreement there. > > > If you feel that it is too risky to do that on the existing hardware ... > > obviously you missed the entire discussion. this is not about the usual > software bugs. it's about cache poisoning of old servers in v4 space. > > > I would ask you to state a reason (other than possible expense) why > > having a couple of "clone servers" run and administered by the same > > folks running the current roots but on the 6bone and accepting > > requests over v6 transport could cause an operational problem. What is > > it, exactly, that we're fearing here? > > this was discussed in dnsop, and is in the dnsop minutes. it was discussed > in ngtrans. > > to repeat the presentation: > > ---- > > the v6 directorate and the i* would appreciate if today's dnsop meeting > would add the following to its agenda: > > o if there actually is a need for to experiment with a separate v6 root, > > o what is the cache hints and root zone content, and, given that > > o what are the possiblity vulnerabilities of the general internet, and if > there are any > > o what are the limits/guidelines needed to prudently protect the net? > > an example of a worry is cache poisoning of an antique v4 bind. A quick look at the code says that AAAA/A6 records won't be cached. If fact you can use this technique for finger printing nameservers. Anti-cache poisoning techniques depend upon ownernames not type. The real worry with BIND 4 is that it does not support TCP retries. So as long a mix of A and A6/AAAA records make it into the additional section and we don't increase the answer section things should be ok. Mark > > ---- > > and there are thousands of vulnerable v4 binds still out there. > > randy -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com