On 3/29/10 11:54 AM, Danny McPherson wrote:
>
> On Mar 29, 2010, at 10:16 AM, RL Vaughn wrote:
>
>> On 3/29/10 9:53 AM, [email protected] wrote:
>>> http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
>>>
>>> So was this a DNS or BGP issue? The reporter appears to be confused, or
>>> was it the Arbor Networks talking head?
>> It was a DNS issue. One host in i-root was providing incorrect answers.
>> The reason for those incorrect answers is unknown but the solution was
>> to remove the responsible host from the i-root anycast.
>
> Are you certain of this Randy? There are at least two questions:
Hmmm. Perhaps I am reading too much into Kurtis Lindqvist's note on
dns-operation. In fact, in that note, Kurtis says they are still
investigating the issue and, pending the results of that investigation,
they have:
"withdrawn the route announcements from one of our anycast nodes for
i.root-servers.net"
But that certain seems like a 'fix' albeit the permanency of the fix
is not mentioned.
The dig output provided was:
$ dig @i.root-servers.net www.facebook.com A
; <<>> DiG 9.6.1-P3 <<>> @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.facebook.com. IN A
;; ANSWER SECTION:
www.facebook.com. 86400 IN A 8.7.198.45
;; Query time: 444 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 14:21:54 2010
;; MSG SIZE rcvd: 66
>
> 1) Why was someone in Chile using that server (i.e., the routing bit)
Good question. I can imagine, of course, how someone in Chile can end
up using i-root.
>
> 2) Why were the responses they were getting "incorrect"
>
The original report, again on dns-operations, mentions that when
querying one of the i-root-server's nodes that node responds with an IP
instead of a referral.
> Regarding the latter, just because a client receives an "incorrect
> answer" doesn't necessarily mean it's what the server ("i-root") was
> transmitting.
>
Exactly, other things can cause this symptom and I give those equal
weight as having a rogue node. Still, the reported response appears
to identify a DNS issue.
> Removing the anycast instance from the i-root cluster means the
> ingress path towards i-root was withdraw, so that instance, and anything
> on the return path towards the client, are no longer an issue. I think
> the latter set of my comments in the article from last week allude to
> this (i.e., potential middleboxen manipulation).
> That said, I do eagerly await an authoritative postmortem from
> the relevant parties. But if you have data that suggests that
> "i-root was providing incorrect answers", I suspect folks would
> be quite interested in that.
>
Me too. The only evidence I have is i-root has taken steps to avoid
producing the reportedly incorrect answers which does not imply they
were the ones providing incorrect answers.
> -danny
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
