Home page logo

nanog logo nanog mailing list archives

Re: AW: Odd policy question.
From: bmanning () vacation karoshi com
Date: Fri, 13 Jan 2006 22:52:19 +0000

On Fri, Jan 13, 2006 at 12:09:51PM -1000, Randy Bush wrote:

Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
been discussed already.  Note that I can't seem to find the same claim
in RFC2870, which obsoletes 2010 (and the direction against recursive
service is still there).

despite others saying that 2870 should apply to servers other
than root servers, i do not support that.  and that leaves
aside that some root servers do not follow it very well.


        RFC 2870 was crafted at a time when the machines hosting the
        root zone also hosted several -large- TLD zones.  Anycast was
        not widely used when this document was written.  RFC 2010 did
        indicate that requirements would likely change in future, while
        RFC 2870 reinforced the then status quo.

        Perhaps the most fatal mistake of RFC 2870 was the ambigious
        treatment of the service provisioning as distinctly different
        than protecting the availability of the (single?) instance of
        the hardware that provides that service.  

        Given the changed nature of the publication platform for the root
        zone, (no big TLDs hosted there anymore) and the widescale use of
        anycast in the root, while not with many TLDs - it is clear to me
        that RFC 2870 applicability is oriented more toward TLD operations.

        For these and a few other reasons, no root server operator that
        i am aware of (save ICANN) actually tries to follow RFC 2870... 
        Several try and follow RFC 2010 still ... despite the I[E/V]TF's 
        marking of "obsolete" on RFC 2010.  That said, there might be a 
        replacement for both offered up - if time allows.  


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]