On Fri, Jan 13, 2006 at 12:09:51PM -1000, Randy Bush wrote:
Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's been discussed already. Note that I can't seem to find the same claim in RFC2870, which obsoletes 2010 (and the direction against recursive service is still there).
despite others saying that 2870 should apply to servers other than root servers, i do not support that. and that leaves aside that some root servers do not follow it very well.
randy
RFC 2870 was crafted at a time when the machines hosting the root zone also hosted several -large- TLD zones. Anycast was not widely used when this document was written. RFC 2010 did indicate that requirements would likely change in future, while RFC 2870 reinforced the then status quo. Perhaps the most fatal mistake of RFC 2870 was the ambigious treatment of the service provisioning as distinctly different than protecting the availability of the (single?) instance of the hardware that provides that service. Given the changed nature of the publication platform for the root zone, (no big TLDs hosted there anymore) and the widescale use of anycast in the root, while not with many TLDs - it is clear to me that RFC 2870 applicability is oriented more toward TLD operations. For these and a few other reasons, no root server operator that i am aware of (save ICANN) actually tries to follow RFC 2870... Several try and follow RFC 2010 still ... despite the I[E/V]TF's marking of "obsolete" on RFC 2010. That said, there might be a replacement for both offered up - if time allows. --bill