[dns-operations] most of root NS and com's NS fail from here

Warren Kumari warren at kumari.net
Tue Apr 29 20:52:12 UTC 2014


On Tue, Apr 29, 2014 at 4:45 PM, Xun Fan <xunfan at isi.edu> wrote:
> China has it's own root nodes is confirmed long ago, we published that in
> our paper https://ant.isi.edu/blog/?p=362

Yup, believe me, I'm fully aware of that (and have read this, and many
other papers, have done some of my own testing on a number of trips to
Beijing, etc) -- unfortunately while I was there I didn't think to
test NSID / hostname.bind /  IDENTITY.L.ROOT-SERVERS.ORG, etc
responses to see how convincing a lie^w optimization the servers
provide.

>
> Just pinged H-root from CERNET of China:
> $ ping h.root-servers.net
> PING h.root-servers.net (128.63.2.53) 56(84) bytes of data.
> 64 bytes from 128.63.2.53: icmp_seq=1 ttl=55 time=9.63 ms
> 64 bytes from 128.63.2.53: icmp_seq=2 ttl=55 time=9.56 ms
>
> 9ms is faster than the speed of light, given the two H-root sites are both
> in US and the ping source is in Shanghai.
>
> For the failure in China telecom, one possible explanation is that somehow
> the route to the "Chinese H-root" doesn't propagate to some server in China
> telecom, while the GFW has already started to drop packets from real H-root.


Yup.
W

>
>
> On Tue, Apr 29, 2014 at 12:15 PM, Warren Kumari <warren at kumari.net> wrote:
>>
>> On Tue, Apr 29, 2014 at 2:18 PM, bert hubert <bert.hubert at netherlabs.nl>
>> wrote:
>> >
>> > On 29 Apr 2014, at 20:55, Emmanuel Thierry <ml at sekil.fr> wrote:
>> >
>> >>
>> >> What we may observe from tests is that some dns servers failed without
>> >> an obvious connectivity problem (ping is OK). As a consequence, i think it
>> >> would be really interesting to test for instance with an arbitrary dns
>> >> server and see whether it fails or not.
>> >>
>> >
>> > Even root-servers that are down have been known to respond as observed
>> > from China. Sometimes within less milliseconds than it takes to reach the
>> > border.
>> >
>> > It is not internet as ‘we’ know it there.
>>
>> What would be interesting to see would be nsid, hostname.bind, etc
>> from the NS to *do* resolve.
>> E.g:
>>
>> dig -4 @l.root-servers.net hostname.bind CH TXT
>> dig -4 @l.root-servers.net . SOA +nsid
>>
>> W
>>
>>
>> >
>> >         Bert
>> >
>> > _______________________________________________
>> > dns-operations mailing list
>> > dns-operations at lists.dns-oarc.net
>> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> > dns-jobs mailing list
>> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>



More information about the dns-operations mailing list