To:
Bruce Campbell <bruce.campbell@ripe.net>
CC:
dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Fri, 1 Nov 2002 10:30:13 +0859 ()
In-Reply-To:
<Pine.LNX.4.44.0210311701070.17262-100000@x22.ripe.net> from BruceCampbell at "Oct 31, 2002 05:18:12 pm"
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
Bruce; > > Note that an ISP may run anycast root servers on all the 13 root > > server addresses that DoS on some does not redirect query to a > > root server operated by someone else. > > Certainly, and theres nothing technical from stopping ISPs from doing that > today. And, we should recommend so. > > Even if you believe in public key cryptography, what's wrong with > > https? > > You mentioned using https for (anycast) roots to _retrieve_ the root zone > from an authoritative source. Wonderful, it'd definitely be a workable > solution for this backchannel, hence theres nothing wrong with https in > that context. Isn't it what you requested for? > However, signing the root zone helps the clients, who, due to the design > of DNS, do not have the option of using https to query the roots. Anycast servers protects the clients from external forged routes that there is no need for insisting on signing. Masataka Ohta #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.