[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Frederico A C Neves fneves at registro.br
Fri May 23 14:50:34 UTC 2008

On Thu, May 22, 2008 at 10:50:51AM -0400, Matthew Pounsett wrote:
> On 21-May-2008, at 13:22 , Peter Koch wrote:
> >PS: FWIW, having changed a TLD server's address recently, experiences
> >   are similar, even though no "hints" are involved.
> I've seen this as well.   After renumbering a couple of TLD servers  
> I've witnessed queries continuing to come in to the old addresses  
> several months beyond the TTL of the zone's NS records.  In both cases  
> we gave up on waiting for the queries to disappear and decommissioned  
> the old servers while queries were still coming in.

This is no news for any TLD that have renumbered. In our case we've
further investigated and discovered a majority of monitoring dig based
scripts with hard coded address and not buggy recursive
nameservers. So don't presume O(100) qps at a 10 years old retired
root-servers address being from recursive nameserver.


More information about the dns-operations mailing list