The problem is making absolutely sure that the root zone that is served is authentic. For AS112 this is not really important because the queries it syphons off are all bogus anyways. So I could not care less if they received bogus answers. For the root this is an entirely different matter! Of course if we had DNSSEC widely deployed it would be a no-brainer. But I am afraid that is going to take a long time; I hope it happens before DNS itself becomes obsoleted.
I had some similar thoughts/worries. But then I realized, they apply to the current infrastructure just as well as to an anycast infrastructure. The security implications that I see come down to a few (I'm sure there are more) first, what happens if someone starts announcing bogus paths to the anycast AS/network? Can't they hijack the root nameservers? answer: Yes. Until nameservers on anycast networks are in place, the same attackers will have to do this by announcing the ip address of {all}.root-servers.net/32 (or /24 if their upstream won't accept a /32). The reason this doesn't happen every day is that providers generally are fairly good at not accepting clearly bogus advertisements from their customers, and (legitimately) trust that the providers they peer with have similar policies. This will work just as well with anycast. second, right now there are a few dozen physical machines that are the root name servers. They are, generally, fairly tough nuts, security-wise. What happens when we have to secure a few hundred machines instead of a few dozen? answer: if you can build one very secure single-purpose server, it's not all that much harder to build 100. The flip side of that is, if you've got a few hundred servers on anycast networks, then if one of them gets compromised, the "damage" is limited to those networks that see that server as "closest". And, as an extra added bonus, there's the neat feature that if an attacker is attacking a server across the network, and is attacking its anycast address, then which server he ends up attacking can tell you a lot about where he's coming from. third, physically securing more servers. answer: this actually is harder the more servers you have (well, it's harder if their redundancy is going to do you any good.) But, once again, the damage is limited to a smaller scope. fourth, what about attacks against the synchronization of the root server zone files? answer: first off, this probably (I'm not sure) doesn't happen very often. The root zone files don't change much. at least that's my understanding (the gtld-server zone files, on the other hand, do.) Also, this is already a problem. It's just a matter of scale. If you can build it right for a dozen servers, you can probably build it right for a hundred. There are probably other problems, but those are the ones I thought of when thinking about this... -Joe