News of ISC Developing BIND Patch

Hash: SHA1

To pull a stunt like that at the root, they'd have to get the OTHER 9
or 10 organizations to buy in, or they'd find themselves outvotes 13
servers to 2, or whatever the exact numbers are....

- From a purely technical perspective, DNS servers don't run ballots, so
it matters not so much how many servers say something, but what they
say, how long they claim it to be valid for, as well as how quickly they

It is much easier to give a long lived lie, than a short lived truth, in
the DNS world.

As such any root server operator can potentially hijack a significant
amount (majority?) of Internet traffic, at least if no one notices
something odd, and figures out what is going on too quickly. This is DNS
security 101...

A single rogue root server could be very messy to cleanup after if the
person in control of the rogue server were skilled in the art (and root
server operators are suppose to be so skilled to get the job).

Paul is I suspect the best regular NANOG poster to judge the
trustworthyness of various root server operators. And I am comforted
somewhat by his faith in the Verisign employees tasked with this.

However the whole episode does cast Verisign in a bad light, and IANA
should presumably review whether the company is a suitable contractor. I
for one believe a swift reversal of the Verisign position would earn it
a lot of credit, 900 seconds later and it is all forgotten.


Fortunately people will start noticing within minutes if not seconds. A
quick manual purge of the resolver cache should suffice for cleanup once
the problem itself has been fixed.