[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Frederico A C Neves
fneves at registro.br
Fri May 23 14:50:34 UTC 2008
On Thu, May 22, 2008 at 10:50:51AM -0400, Matthew Pounsett wrote:
> On 21-May-2008, at 13:22 , Peter Koch wrote:
> >PS: FWIW, having changed a TLD server's address recently, experiences
> > are similar, even though no "hints" are involved.
> I've seen this as well. After renumbering a couple of TLD servers
> I've witnessed queries continuing to come in to the old addresses
> several months beyond the TTL of the zone's NS records. In both cases
> we gave up on waiting for the queries to disappear and decommissioned
> the old servers while queries were still coming in.
This is no news for any TLD that have renumbered. In our case we've
further investigated and discovered a majority of monitoring dig based
scripts with hard coded address and not buggy recursive
nameservers. So don't presume O(100) qps at a 10 years old retired
root-servers address being from recursive nameserver.
More information about the dns-operations