Multiple DNS implementations vulnerable to cache poisoning

David Conrad drc at
Wed Jul 9 19:30:08 UTC 2008

On Jul 9, 2008, at 10:39 AM, <michael.dillon at> <michael.dillon at 
 > wrote:
>>> Pressure your local ICANN officers?
>> Mmph.
>> (it's out of ICANN's hands)
> Huh!?
> ...
> It sounds like ICANN has the matter well in hand to me given
> that it is only responsible for the common central bit of the
> DNS system.

Two answers:

1) The term 'signing the root' means a whole lot more than running  
dnssec-signzone over zone data.  Specifically, the URL I provided  
shows that IANA is _already_ signing the root (more or less) and has  
been for over a year -- IANA actually has a _very_ elaborate and  
secure infrastructure (including multiple FIPS 140-3 hardware security  
modules, air gaps, physical security, and all sorts of other stuff)  
for root signing.  The fact that root zone data you receive from the  
root servers is not signed may suggest that there is a bit more that  
needs to be done and pretty much all of that is NOT something ICANN  
has direct control over.

2) You are exactly right when you say:

> The rest of the job is everyone's problem.

Getting DNSSEC to be more than an academic exercise requires BOTH  
folks signing zones that form an unbroken chain of trust up to a trust  
anchor configured in validating name servers AND for the operators of  
those validating name servers to enable DNSSEC.  Most of the thrust to  
date has been on one half of that requirement.  How many ISPs  
represented here are in a position to turn on DNSSEC validation?  How  
many are even running caches that are capable of doing DNSSEC?

For DNSSEC to actually be useful, I suspect somebody needs to write  
software that provides the user with some indication other than a  
timeout that a name validation failed, but that's a separate issue.


More information about the NANOG mailing list