AW: Odd policy question.
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Jan 13 22:52:19 UTC 2006
On Fri, Jan 13, 2006 at 12:09:51PM -1000, Randy Bush wrote:
>
> > Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
> > been discussed already. Note that I can't seem to find the same claim
> > in RFC2870, which obsoletes 2010 (and the direction against recursive
> > service is still there).
>
> despite others saying that 2870 should apply to servers other
> than root servers, i do not support that. and that leaves
> aside that some root servers do not follow it very well.
>
> randy
RFC 2870 was crafted at a time when the machines hosting the
root zone also hosted several -large- TLD zones. Anycast was
not widely used when this document was written. RFC 2010 did
indicate that requirements would likely change in future, while
RFC 2870 reinforced the then status quo.
Perhaps the most fatal mistake of RFC 2870 was the ambigious
treatment of the service provisioning as distinctly different
than protecting the availability of the (single?) instance of
the hardware that provides that service.
Given the changed nature of the publication platform for the root
zone, (no big TLDs hosted there anymore) and the widescale use of
anycast in the root, while not with many TLDs - it is clear to me
that RFC 2870 applicability is oriented more toward TLD operations.
For these and a few other reasons, no root server operator that
i am aware of (save ICANN) actually tries to follow RFC 2870...
Several try and follow RFC 2010 still ... despite the I[E/V]TF's
marking of "obsolete" on RFC 2010. That said, there might be a
replacement for both offered up - if time allows.
--bill
More information about the NANOG
mailing list