That's great in theory, and folks should be using DNSSEC [1], but we all know there's plenty of
places out there in this wide world that don't do things right, and absolutely *do* rely on packets
getting to the correct place.
I'm not saying we shouldn't whack those folks with a cluestick [1] (we should), I'm saying we should
also not bother making it easier for an attacker to hijack these poor misguided souls.
Matt
[1] $(dig +short pumpkey.net ds) returns nothing here, so I guess you are included in the set of
folks who should really upgrade their DNS security to stop relying on the trust packets are getting
to the right place.
On 6/17/23 6:05 PM, Crist Clark wrote:
IP addresses cannot and should not be trusted. It’s not like you can really trust your packets going
to B _today_ are going to and from the real B (or Bs).
If the security of DNS relies on no one intercepting or spoofing responses of some of your queries
to a root server, it’s been game over for a long time.
On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo <na...@as397444.net
<mailto:na...@as397444.net>> wrote:
On 6/17/23 7:12 AM, Tom Beecher wrote:
> Bill-
>
> Don't say, "We'll keep it up for as long as we feel like it, but at
> least a year." That's crap.
>
>
> 30% of the root servers have been renumbered in the last 25 years.
>
> h : 2015
> d: 2013
> l : 2007
> j : 2002
>
> For these 4 cases, only a 6 month transition time was provided, and the
internet as we know
it did
> not fall over in a flaming pile. ( One could argue it was ALREADY a
flaming pile, but that's a
> different discussion.)
There’s a huge difference between “no one noticed any issues because
recursive resolvers will
seamlessly fall back to other root servers if there’s an outage” and “there
aren’t issues”.
For non-DNSSEC-verifying-resolvers (sheesh, but they still exist), if the
IPs are eventually
released and someone stands up a DNS server on them you could cause real
harm.
Does this need to be over-engineered to prevent that? No, though doing a
few tricks to help the
poor
folks on unmaintained recursive resolvers isn’t bad either.
But lack of visible issues doesn’t mean that users aren’t put at risk. That
said, I have no idea if
the old number resources were released or no longer announced in the DFZ
after the previous
renumbers, which would really be the point at which concern is warranted,
not simply no longer
responding.
Matt
