On Thu, Jul 20, 2017 at 02:20:39PM +0200, Chris Amin <[email protected]> wrote a message of 90 lines which said:
>> it would be useful to have SOA queries from all probes with the NSID >> EDNS option set, in order to be able to match up responses with the >> particular responding instances > It is also useful to detect rogue root name servers (quite common with > anycast) or transparent DNS proxies. (Measurement #9209448 finds > several probes asking a rogue L-root, which has no NSID support, or > located behind a middlebox which strips NSID. Check probes > 23621,19770, 24890, 26328, 27059, 27080, 27843, 33806, 21570,14272, > 13660, 17775, 17841, 26587, 30847, 11410, 23438, 29814, 13719, 21140, > 25189, 25197. For some, the SOA serial number is so old that it is > probably a rogue root name server. Also, one probe, 28846, finds a > server replying with an abnormal NSID, which is not the normal from > L-root.) I also find useful to match id.server./hostname.bind. queries against the NSID results (à-la-nsidenumerator, see flag --id-server, https://github.com/insomniacslk/nsidenumerator )
