[Dnssec-deployment] "Two Strikes For the I-root"
mcr at sandelman.ca
Sun Jun 13 14:44:26 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
Paul> On Fri, 11 Jun 2010, Paul Wouters wrote:
Paul> Ooops, here is the link :)
So, the interesting part is:
dig @dns1.chinatelecom.com.cn. www.facebook.com.
www.facebook.com. 11556 IN A 184.108.40.206
www.facebook.com. 24055 IN A 220.127.116.11
www.facebook.com. 38730 IN A 18.104.22.168
and the note that:
"None of these IP addresses has anything to do with Facebook. In
fact, addresses starting with 37 haven't even been allocated by IANA as
of this writing. "
Whether or not this is evidence that i-root is serving wrong answers, or
that packets are being modified in flight, or that "dns1.chinatelecom.com.cn"
is answering with forged answers is irrelevant.
DNSSEC was designed to deal with all three issues.
Until we have DNSSEC, we won't know if Renesys was right or wrong.
(The relevance of the note is more relevant to IPv6 advocates... )
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment