Re: New addresses for b.root-servers.net

[Matt Corallo <nanog () as397444 net>]

That's great in theory, and folks should be using DNSSEC [1], but we all know there's plenty of 
places out there in this wide world that don't do things right, and absolutely *do* rely on packets 
getting to the correct place.

I'm not saying we shouldn't whack those folks with a cluestick [1] (we should), I'm saying we should 
also not bother making it easier for an attacker to hijack these poor misguided souls.

Matt

[1] $(dig +short pumpkey.net ds) returns nothing here, so I guess you are included in the set of 
folks who should really upgrade their DNS security to stop relying on the trust packets are getting 
to the right place.

On 6/17/23 6:05 PM, Crist Clark wrote:
> IP addresses cannot and should not be trusted. It’s not like you can really trust your packets going 
> to B _today_ are going to and from the real B (or Bs).
>
> If the security of DNS relies on no one intercepting or spoofing responses of some of your queries 
> to a root server, it’s been game over for a long time.
>
>
> On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo <nanog () as397444 net <mailto:nanog () as397444 net>> wrote:
>
>
>
>     On 6/17/23 7:12 AM, Tom Beecher wrote:
>      > Bill-
>      >
>      >     Don't say, "We'll keep it up for as long as we feel like it, but at
>      >     least a year." That's crap.
>      >
>      >
>      > 30% of the root servers have been renumbered in the last 25 years.
>      >
>      > h : 2015
>      > d: 2013
>      > l : 2007
>      > j : 2002
>      >
>      > For these 4 cases, only a 6 month transition time was provided, and the internet as we know
>     it did
>      > not fall over in a flaming pile. ( One could argue it was ALREADY a flaming pile, but that's a
>      > different discussion.)
>
>     There’s a huge difference between “no one noticed any issues because recursive resolvers will
>     seamlessly fall back to other root servers if there’s an outage” and “there aren’t issues”.
>
>     For non-DNSSEC-verifying-resolvers (sheesh, but they still exist), if the IPs are eventually
>     released and someone stands up a DNS server on them you could cause real harm.
>
>     Does this need to be over-engineered to prevent that? No, though doing a few tricks to help the
>     poor
>     folks on unmaintained recursive resolvers isn’t bad either.
>
>     But lack of visible issues doesn’t mean that users aren’t put at risk. That said, I have no idea if
>     the old number resources were released or no longer announced in the DFZ after the previous
>     renumbers, which would really be the point at which concern is warranted, not simply no longer
>     responding.
>
>     Matt