All, First, Manu, thanks for noticing the problem and reporting it.
Since i.root-servers.net was "dragged up" in this thread, I'd like to comment a couple of things from Netnod's (operators of i.root-servers.net) side. First, just to re-iterate: I-root servers operated by Netnod responds to all DNS queries we can handle, as we receive them, with unaltered answers from the true root zone. Period. We are, at the moment, not aware of any servers outside of our control operating on I-roots IP-addresses. What happens to the DNS packets beyond the first upstream router is at best difficult, and in many cases impossible, for us to control, though. Netnod operates two I-root nodes in China. The one in Beijing has been in operation since 2007 (IIRC) with a longer stop a few years ago, which boiled down to sheer issues of old and malfunctioning hardware. It is now back on-line again on newer hardware. Our second node in China, in Shenyang, is brand new (months). As Ray Bellis notes, we had a similar incident with the I-root node in Beijing back in 2010. It was fixed blindingly fast and with profuse apologies when we reported it to our site host. My experience is that Chinese authorities have no wish to inflict problems on clients outside China, and that whatever impersonation/leakage happens is indeed due to configuration errors on networking equipment. There is no way to guarantee that any one ISP (inside China or not) does what you expect and hope with your BGP announcements and the traffic going to/from any server of yours (DNS root or other). Specifically, I expect that a country with more than a billion citizens has a network complexity of certain scale, which, in combination with the intricate large scale traffic filters, makes "playing" with NO_EXPORT even trickier than normal. Life with anycast is a constant challenge to deploy the right number of instances at the right points in topology in order to make the right thing happen given an existing budget. If you see any signs of problems with i.root-servers.net, please report them without delay to <[email protected]>. Every such report is of great value to us, as it helps us understand what our service looks like to you. These observations are important fixpoints in our continuous efforts to improve our service. And finally to each and every one of you: Please turn on validation in your resolvers and sign your zones. DNSSEC is your friend. Best regards, /Liman [email protected] #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: [email protected] # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod AB, Stockholm ! http://www.netnod.se/ #---------------------------------------------------------------------- _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
