nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: F.ROOT-SERVERS.NET moved to Beijing?

From: Danny McPherson <danny () tcb net>
Date: Mon, 3 Oct 2011 09:27:46 -0400

On Oct 3, 2011, at 7:29 AM, Tony Finch wrote:


If you are running BIND 9.8 there is really no reason not to turn on
DNSSEC validation, then you won't have to worry about anycast routes
leaking from behind the great firewall.


User Exercise:  What happens when you enable integrity checking in an 
application (e.g., 'dnssec-validation auto') and datapath manipulation 
persists?  Bonus points for analysis of implementation and deployment 
behaviors and resulting systemic effects.

Network layer integrity techniques and secure routing infrastructure are 
all that's going to fix this.  In the interim, the ability to detect such 
incidents at some rate faster than the speed of mailing lists would be
ideal.

-danny
Previous By Date Next
Previous By Thread Next

Current thread: