F.ROOT-SERVERS.NET moved to Beijing?
Danny McPherson
danny at tcb.net
Mon Oct 3 13:27:46 UTC 2011
On Oct 3, 2011, at 7:29 AM, Tony Finch wrote:
>
> If you are running BIND 9.8 there is really no reason not to turn on
> DNSSEC validation, then you won't have to worry about anycast routes
> leaking from behind the great firewall.
User Exercise: What happens when you enable integrity checking in an
application (e.g., 'dnssec-validation auto') and datapath manipulation
persists? Bonus points for analysis of implementation and deployment
behaviors and resulting systemic effects.
Network layer integrity techniques and secure routing infrastructure are
all that's going to fix this. In the interim, the ability to detect such
incidents at some rate faster than the speed of mailing lists would be
ideal.
-danny
More information about the NANOG
mailing list