-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Valdis.Kletnieks@vt.edu

To pull a stunt like that at the root, they'd have to get the OTHER 9 or 10 organizations to buy in, or they'd find themselves outvotes 13 servers to 2, or whatever the exact numbers are....

- From a purely technical perspective, DNS servers don't run ballots, so it matters not so much how many servers say something, but what they say, how long they claim it to be valid for, as well as how quickly they answer. It is much easier to give a long lived lie, than a short lived truth, in the DNS world. As such any root server operator can potentially hijack a significant amount (majority?) of Internet traffic, at least if no one notices something odd, and figures out what is going on too quickly. This is DNS security 101... A single rogue root server could be very messy to cleanup after if the person in control of the rogue server were skilled in the art (and root server operators are suppose to be so skilled to get the job). Paul is I suspect the best regular NANOG poster to judge the trustworthyness of various root server operators. And I am comforted somewhat by his faith in the Verisign employees tasked with this. However the whole episode does cast Verisign in a bad light, and IANA should presumably review whether the company is a suitable contractor. I for one believe a swift reversal of the Verisign position would earn it a lot of credit, 900 seconds later and it is all forgotten. Simon -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/aEtUGFXfHI9FVgYRAjRuAJsG1ZyxvbGaLFJk5ZszS7VF26bppgCfWD/B oya3kkWpGzgMD7dUsVGtVr4= =y111 -----END PGP SIGNATURE-----