To:
David Conrad <david.conrad@nominum.com>
Cc:
Brad Knowles <brad.knowles@skynet.be>, DNS Operations <dnsop@cafax.se>
From:
Randy Bush <randy@psg.com>
Date:
Thu, 10 Oct 2002 16:09:09 +0900
Sender:
owner-dnsop@cafax.se
Subject:
Re: Interim signing of the root zone.
> Can you describe the issues you see with anycast and how DNSSEC would > address those issues? w/o dnssec, one can not differentiate ancasted root from a routing attack on that root. see <http://www.nanog.org/mtg-0206/ppt/massey/index.htm> for how one might defend against such attacks. as dnssec is finally approaching deployment, it seems imprudent to rush into a not obviously critical anycast deployment when a little patience would seem harmless. with dnssec, anycast authoritative servers are way cool, clearly safe, and quite deployable. without dnssec, it seems grandstanding to no prudent useful end. randy