[dns-operations] K-root in CN leaking outside of CN

Lars-Johan Liman liman at netnod.se
Mon Nov 8 12:38:14 UTC 2021


First, Manu, thanks for noticing the problem and reporting it.

Since i.root-servers.net was "dragged up" in this thread, I'd like to
comment a couple of things from Netnod's (operators of
i.root-servers.net) side.

First, just to re-iterate: I-root servers operated by Netnod responds to
all DNS queries we can handle, as we receive them, with unaltered
answers from the true root zone. Period. We are, at the moment, not
aware of any servers outside of our control operating on I-roots

What happens to the DNS packets beyond the first upstream router is at
best difficult, and in many cases impossible, for us to control, though.

Netnod operates two I-root nodes in China. The one in Beijing has been
in operation since 2007 (IIRC) with a longer stop a few years ago, which
boiled down to sheer issues of old and malfunctioning hardware. It is
now back on-line again on newer hardware.

Our second node in China, in Shenyang, is brand new (months).

As Ray Bellis notes, we had a similar incident with the I-root node in
Beijing back in 2010. It was fixed blindingly fast and with profuse
apologies when we reported it to our site host. My experience is that
Chinese authorities have no wish to inflict problems on clients outside
China, and that whatever impersonation/leakage happens is indeed due to
configuration errors on networking equipment.

There is no way to guarantee that any one ISP (inside China or not) does
what you expect and hope with your BGP announcements and the traffic
going to/from any server of yours (DNS root or other). Specifically, I
expect that a country with more than a billion citizens has a network
complexity of certain scale, which, in combination with the intricate
large scale traffic filters, makes "playing" with NO_EXPORT even
trickier than normal. Life with anycast is a constant challenge to
deploy the right number of instances at the right points in topology in
order to make the right thing happen given an existing budget.

If you see any signs of problems with i.root-servers.net, please report
them without delay to <noc at netnod.se>. Every such report is of great
value to us, as it helps us understand what our service looks like to
you. These observations are important fixpoints in our continuous
efforts to improve our service.

And finally to each and every one of you:

Please turn on validation in your resolvers and sign your zones. DNSSEC
is your friend.

				Best regards,
                                   hostmaster at i.root-servers.net

# Lars-Johan Liman, M.Sc.               !  E-mail: liman at netnod.se
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod AB, Stockholm                  !  http://www.netnod.se/

More information about the dns-operations mailing list