[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New zones for the experiment
--On 7. august 2001 19:21 +0859 Masataka Ohta
<mohta@necom830.hpcl.titech.ac.jp> wrote:
> Harald;
>
>> At the dnsdir dinner we talked about getting more traffic into the AROOT
>> servers.
>>
>> I would like to offer up 2 sacrifical victims:
>>
>> - alvestrand.no (master server is eikenes.alvestrand.no, 217.13.28.203)
>> - counter.li.org (master server WILL BE, BUT IS NOT
>> aleph.counter.li.org, 158.38.60.136; it is a secondary now)
>
> Thank you. Are the master servers ready to accept XFR requests from
> other servers?
Yes. They are naively trusting, and will allow anyone to axfr from them.
>
>> Questions that rise to my mind, and neatly illustrate something about
>> the management of multiprovider anycast DNS:
>>
>> - who is responsible for accepting or denying this request?
>
> Requests to add zones to share an anycast address is, of course,
> not considered for the draft on the root zone.
of course. I was thinking strictly of the aroot experiment.
>
> For production use, different anycast addresses should be provided
> for different zones, I think.
>
>> - how do I tell that all the servers have been reconfigured to serve the
>> zone, so that I can insert official NS records?
>
>> (is that the right sequence, btw? a DNS neophyte asks...)
>> - how do I even tell who all the servers are????
>
> You can't.
:-)
but if anyone is keeping track of the servers that we know about, I'd like
a copy.
>
> DNS clients can detect anomally, instead.
yes.
but - they can only detect inconsistency if they are asking multiple
servers.
and in the absence of dnssec, they cannot tell damage from changes.
> If you are not convinced, forget the draft and think about how can
> we detect some ISP running a fake root server with the same IP
> address as an official one?
good question. isomorphic to the problem of detecting any unauthorized
announcement of a route into the BGP, I think.