[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: your mail

To: Paul A Vixie <paul@vix.com>
Subject: Re: your mail
From: Ray Plzak <plzak@nic.mil>
Date: Tue, 16 Mar 1999 08:08:58 -0500 (EST)
cc: Randy Bush <randy@psg.com>, namedroppers <namedroppers@internic.net>, Jun Murai <jun@WIDE.AD.JP>, junsec <junsec@WIDE.AD.JP>, Kato Akira <kato@WIDE.AD.JP>, bmanning@ISI.EDU, markk@internic.net, mkaras@internic.net, randy@bogus.com, mir@ripe.net, evi@colorado.edu, liman@sunet.se, gih@telstra.net, woolf@ISI.EDU, keith@linx.net, kimh@arin.net

I agree with Paul's comments.

Ray

On Mon, 15 Mar 1999, Paul A Vixie wrote:

> short comments:
> 
> >    1.2 The root servers serve the root, aka 'dot', zone.  Although today
> >        some of the root servers also serve some TLDs (top level domains)
> >        such as gTLDs (COM, NET, ORG, etc.), infrastructural TLDs such as
> >        INT and IN-ADDR.ARPA, and some ccTLDs (country code TLDs, e.g. SE
> >        for Sweden), these TLDs MUST be moved to separate TLD servers in
> >        the near future.
> 
> qualified disagreement:  the servers which serve dot should also serve
> in-addr.arpa and eiter ip6.int or its late model equivlents.  i agree
> that com et al need to move to separate servers.  (we stopped short of
> this when we did 2010, for political reasons pertaining to that time but
> not to this time.)
> 
> >    2.1 It would be short-sighted and presumptious of this document to
> >        specify particular hardware, operating systems, or name serving
> >        software.  Variations in these areas would actually a source of
> >        robustness.
> 
> the name server implementation should be "open source."
> 
> >    2.5 Root name servers MUST disable recursive name lookup, forwarding,
> >        etc.  They also MUST NOT provide secondary service for any zones
> >        other than the root zone.  These restrictions help prevent undue
> >        load on the root servers and reduce the chance of their caching
> >        incorrect data.
> 
> and in-addr.arpa and ip6.int.
> 
> >        3.2.3 The LAN segment(s) on which a root server is homed SHOULD
> >              be separately firewalled or packet filtered to discourage
> >              network access to any port other than those needed for name
> >              service.
> 
> in particular, packets coming from rfc1918 space should be blocked by the
> upstream router if possible, or at any rate not responded to by the name
> server.
> 
> >        3.2.4 The root servers SHOULD have their clocks synchronized via
> >              NTP [RFC1305] [RFC2030] or similar mechanisms.  For this
> >              purpose, servers and their associated firewalls SHOULD
> >              allow the root servers to be NTP clients.  Root servers
> >              MUST NOT act as NTP peers or servers.
> 
> with authenticated ntp.
> 
> >        3.2.5 All attempts at intrusion or other compromise SHOULD be
> >              logged, and all such logs from all root servers SHOULD be
> >              analysed by a central security team to look for patterns,
> >              serious attempts, etc.
> 
> centralized across what domain?  a particular root's ops team, or the
> collected root ops teams?
>

Prev by Date: Re: draft-dnsop-root-opreq-00.txt
Next by Date: Re: draft-dnsop-root-opreq-00.txt
Prev by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Date
- Thread