To:
perry@piermont.com (Perry E. Metzger)
Cc:
bmanning@isi.edu (Bill Manning), moore@cs.utk.edu (Keith Moore), randy@psg.com (Randy Bush), he@runit.no (Havard Eidnes), seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Bill Manning <bmanning@isi.edu>
Date:
Sun, 21 Jan 2001 14:04:57 -0800 (PST)
In-Reply-To:
<871ytwybny.fsf@snark.piermont.com> from "Perry E. Metzger" at Jan 21, 2001 01:58:57 PM
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Re: IPv6 dns
% % % Bill Manning <bmanning@ISI.EDU> writes: % > THe last time it was seriously raised was at the Joint IETF/ISOC mtg in % > Montreal. The failure modes are pretty spectactular, at least until % > DNSsec is deployed and applications can verify the accuracy of the data % > received from a root server. % % You can probably manage to forge data in a significant way right now % -- I'm not sure host routes in the DFZ would make that substantially % worse. It is also possible to use standard policy mechanisms to note % attempts to hijack one of the routes... % % .pm % Two considerations: 1) gettting general consensus by Operators to add this varience to their SOP on which things get intot their routing tables (VERY HARD) 2) Forged route announcements... folks pay more attention to a forged entry for 18.0.0.0/8 than 192.168.10.10/32... although this "feature" is a key component of the Otha-san/Hardie "anycast" root server (drafts). I'd really want to have some method to authenticate the chain and have an imbedded x509 CERT ... if we go to host routes. (mind, I think its a good idea :) --bill