To:
Mark.Andrews@nominum.com
Cc:
randy@psg.com (Randy Bush), perry@wasabisystems.com (Perry E. Metzger), seamus@bit-net.com (Jim Bound), users@ipv6.org, dnsop@cafax.se (dns op wg), ngtrans@sunroof.eng.sun.com
From:
Bill Manning <bmanning@isi.edu>
Date:
Thu, 18 Jan 2001 04:00:54 -0800 (PST)
In-Reply-To:
<200101180756.f0I7uIF56763@drugs.dv.isc.org> from "Mark.Andrews@nominum.com" at Jan 18, 2001 06:56:18 PM
Sender:
owner-dnsop@cafax.se
Subject:
Re: IPv6 dns
The RSSAC has talked about v6 roots for the past couple of years. There are IESG and IAB members as part of this group. Several members of the RSSAC have established a testbed and there has been discussion on how to open it up for more general use. Perhaps some of the material from the last few RSSAC discussions might be useful to ngtrans & dnsops? Or the IESG & IAB members of RSSAC could pass on that information to the protocol organization, the IETF. % % % > > Why do a rogue server? Why not just have the existing root operators % > > deploy v6 transport capable root servers that are official? % > % > no disagreement there. % > % > > If you feel that it is too risky to do that on the existing hardware ... % > % > obviously you missed the entire discussion. this is not about the usual % > software bugs. it's about cache poisoning of old servers in v4 space. % > % > > I would ask you to state a reason (other than possible expense) why % > > having a couple of "clone servers" run and administered by the same % > > folks running the current roots but on the 6bone and accepting % > > requests over v6 transport could cause an operational problem. What is % > > it, exactly, that we're fearing here? % > % > this was discussed in dnsop, and is in the dnsop minutes. it was discussed % > in ngtrans. % > % > to repeat the presentation: % > % > ---- % > % > the v6 directorate and the i* would appreciate if today's dnsop meeting % > would add the following to its agenda: % > % > o if there actually is a need for to experiment with a separate v6 root, % > % > o what is the cache hints and root zone content, and, given that % > % > o what are the possiblity vulnerabilities of the general internet, and if % > there are any % > % > o what are the limits/guidelines needed to prudently protect the net? % > % > an example of a worry is cache poisoning of an antique v4 bind. % % A quick look at the code says that AAAA/A6 records won't % be cached. If fact you can use this technique for finger % printing nameservers. % % Anti-cache poisoning techniques depend upon ownernames not % type. % % The real worry with BIND 4 is that it does not support TCP % retries. So as long a mix of A and A6/AAAA records make % it into the additional section and we don't increase the % answer section things should be ok. % % Mark % % > % > ---- % > % > and there are thousands of vulnerable v4 binds still out there. % > % > randy % -- % Mark Andrews, Nominum Inc. % 1 Seymour St., Dundas Valley, NSW 2117, Australia % PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com % -- --bill