[dns-operations] most of root NS and com's NS fail from here

Xun Fan xunfan at isi.edu
Tue Apr 29 21:06:53 UTC 2014


On Tue, Apr 29, 2014 at 1:52 PM, Warren Kumari <warren at kumari.net> wrote:

> On Tue, Apr 29, 2014 at 4:45 PM, Xun Fan <xunfan at isi.edu> wrote:
> > China has it's own root nodes is confirmed long ago, we published that in
> > our paper https://ant.isi.edu/blog/?p=362
>
> Yup, believe me, I'm fully aware of that (and have read this, and many
> other papers, have done some of my own testing on a number of trips to
> Beijing, etc) -- unfortunately while I was there I didn't think to
> test NSID / hostname.bind /  IDENTITY.L.ROOT-SERVERS.ORG, etc
> responses to see how convincing a lie^w optimization the servers
> provide.
>

Oh, sure, I totally agree NSID/hostname.bind etc. will be very helpful.

My experience is that if these query hit a masquerading root node, you
mostly won't get an answer, by either no ANSWER section or empty string
in ANSWER section.

And another thing is the masquerading node is not always there. Sometimes
our query hit the real root node and everything is correct (NSID,
hostname.bind, etc.).
But we didn't collect data continuously, so we don't know the exact pattern.


>
> >
> > Just pinged H-root from CERNET of China:
> > $ ping h.root-servers.net
> > PING h.root-servers.net (128.63.2.53) 56(84) bytes of data.
> > 64 bytes from 128.63.2.53: icmp_seq=1 ttl=55 time=9.63 ms
> > 64 bytes from 128.63.2.53: icmp_seq=2 ttl=55 time=9.56 ms
> >
> > 9ms is faster than the speed of light, given the two H-root sites are
> both
> > in US and the ping source is in Shanghai.
> >
> > For the failure in China telecom, one possible explanation is that
> somehow
> > the route to the "Chinese H-root" doesn't propagate to some server in
> China
> > telecom, while the GFW has already started to drop packets from real
> H-root.
>
>
> Yup.
> W
>
> >
> >
> > On Tue, Apr 29, 2014 at 12:15 PM, Warren Kumari <warren at kumari.net>
> wrote:
> >>
> >> On Tue, Apr 29, 2014 at 2:18 PM, bert hubert <bert.hubert at netherlabs.nl
> >
> >> wrote:
> >> >
> >> > On 29 Apr 2014, at 20:55, Emmanuel Thierry <ml at sekil.fr> wrote:
> >> >
> >> >>
> >> >> What we may observe from tests is that some dns servers failed
> without
> >> >> an obvious connectivity problem (ping is OK). As a consequence, i
> think it
> >> >> would be really interesting to test for instance with an arbitrary
> dns
> >> >> server and see whether it fails or not.
> >> >>
> >> >
> >> > Even root-servers that are down have been known to respond as observed
> >> > from China. Sometimes within less milliseconds than it takes to reach
> the
> >> > border.
> >> >
> >> > It is not internet as ‘we’ know it there.
> >>
> >> What would be interesting to see would be nsid, hostname.bind, etc
> >> from the NS to *do* resolve.
> >> E.g:
> >>
> >> dig -4 @l.root-servers.net hostname.bind CH TXT
> >> dig -4 @l.root-servers.net . SOA +nsid
> >>
> >> W
> >>
> >>
> >> >
> >> >         Bert
> >> >
> >> > _______________________________________________
> >> > dns-operations mailing list
> >> > dns-operations at lists.dns-oarc.net
> >> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> > dns-jobs mailing list
> >> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-jobs mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140429/bb475ed6/attachment.html>


More information about the dns-operations mailing list