<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<div class="BodyFragment"><font size="2"><span style="font-size:10pt;">
<div class="PlainText">Kevin,<br>
<br>
your message reminded me that you asked about my script before and I failed<br>
to respond then. I'm attaching here the script that I used to create<br>
the CLEAN dataset.<br>
<br>
DW<br>
<br>
</div>
</span></font></div>
<div class="BodyFragment"><font size="2"><span style="font-size:10pt;">
<div class="PlainText"><br>
<br>
On Oct 7, 2013, at 9:11 AM, Kevin White <kwhite@jasadvisors.com> wrote:<br>
<br>
> The problem is, there is "bad" data in these captures. One of the roots in<br>
> particular seems to leak a whole bunch of stuff in.<br>
> <br>
> At some point, the RAW was turned into CLEAN, following a procedure somewhat<br>
> like this. I'm just trying to duplicate that with a code base that can be<br>
> shared with anyone who cares.<br>
> <br>
> If anyone has any tips/suggestions, I'm all ears.<br>
> <br>
> Thanks,<br>
> <br>
> Kevin<br>
> <br>
> -----Original Message-----<br>
> From: Jim Reid [<a href="mailto:jim@rfc1035.com">mailto:jim@rfc1035.com</a>] <br>
> Sent: Monday, October 07, 2013 12:07 PM<br>
> To: Kevin White<br>
> Cc: Warren Kumari; 'collisions@lists.dns-oarc.net'<br>
> Subject: Re: [Collisions] Weird dest IP addr<br>
> <br>
> On 7 Oct 2013, at 16:49, Kevin White <kwhite@jasadvisors.com> wrote:<br>
> <br>
>> I should have an a-root entry too?<br>
> <br>
> Probably. But it would be for j-root since that's what used to occupy<br>
> 198.41.0.10.<br>
> <br>
> Hopefully someone at IANA can give you chapter and verse on which IP<br>
> addresses have been used by which root servers since DNS was first deployed.<br>
> And when these changed.<br>
> <br>
> I'd be wary of strict checking of destination addresses or coupling these to<br>
> specific root servers. It's possible the pcaps have traffic which goes to<br>
> the "real" IP address of an anycast instance, say for monitoring/alerting<br>
> purposes. [ie Is the box at anycast location foo working OK?] Those<br>
> addresses may well be information that an RSO is less than keen to share.<br>
> And they may also change from time to time too. :-)<br>
> <br>
> _______________________________________________<br>
> Collisions mailing list<br>
> Collisions@lists.dns-oarc.net<br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/collisions">https://lists.dns-oarc.net/mailman/listinfo/collisions</a><br>
<br>
</div>
</span></font></div>
</body>
</html>