In message <564ba6e9.2050...@hireahit.com>, Dave Warren writes: > On 2015-11-17 14:13, Mark Andrews wrote: > > In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes: > >> On 2015-11-16 18:09, Grant Taylor wrote: > >>> It's my understanding that ALL of the root servers would have to > >>> change all of their addresses at the same time for DNS to be impacted. > >> Or, the IP formerly used as a root server could turn malicious and start > >> offering an alternate response. This would only impact resolvers that > >> had outdated root hints, and also happened to try that particular IP > >> first, but it's at least a theoretical risk. > > Which is why those addresses get held back from reassignment. It is a > > known risk that is mitigated. > > Understood and agreed, there's little real-world risk, but it's > important to understand that this risk is mitigated by policy, not by > technology.
Given the root zone is signed and most of the TLD's are also signed there is little a rogue operator can do besides causing a DoS if you validate the returned answers. > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
