To:
Randy Bush <randy@psg.com>
CC:
David Conrad <david.conrad@nominum.com>, Brad Knowles <brad.knowles@skynet.be>, DNS Operations <dnsop@cafax.se>
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Fri, 11 Oct 2002 10:09:59 +0859 ()
In-Reply-To:
<E17zXRV-000BbT-00@roam.psg.com> from Randy Bush at "Oct 10, 200204:09:09 pm"
Sender:
owner-dnsop@cafax.se
Subject:
Re: Interim signing of the root zone.
Randy; > > Can you describe the issues you see with anycast and how DNSSEC would > > address those issues? > > w/o dnssec, one can not differentiate ancasted root from a routing attack > on that root. see <http://www.nanog.org/mtg-0206/ppt/massey/index.htm> > for how one might defend against such attacks. As was discussed severail times in past meetings, the routing attack on unicasted root is equally harmful. A simple protection for an ISP is not to blindly receive any route from customers and to have peering relationship only with reliable ISPs, both of which are the current practice of sane ISPs. Another protection for an ISP is to have its own root servers with the anycast address, which means anycasted root IMPROVES the security. > as dnssec is finally approaching deployment, it seems imprudent to rush > into a not obviously critical anycast deployment when a little patience > would seem harmless. DNSSEC, or any CA-based security, is not really secure and is undeployable for any practical security. > with dnssec, anycast authoritative servers are way cool, clearly safe, > and quite deployable. The fundamental question is who assures that it is safe. That is, how much is compensated from who, if the security is compromized? Masataka Ohta #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.