[dns-operations] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Mon Nov 8 17:12:39 UTC 2021


Thanks Davey for the suggestions and Anand (and team) for withdrawing the
route.

> As for this specific problem, we have reached out to both the AS that is
accepting the leak and RIPE NCC as we identified the issue, provided the
ISP possible workaround in the meantime.

When we believed we identified what the issue was, this is the first thing
we did.

On Mon, Nov 8, 2021 at 12:18 AM Anand Buddhdev <anandb at ripe.net> wrote:

>
> Many people have already said this, but I'd like to make it clear that
> the K-root server was NOT emitting false responses for Facebook and
> WhatsApp. The responses were being modified by something between the
> server and its clients.
>

Yes, I would also like to point out that this is not what I was hinting at.
What I believed happened was that the route were advertised by mistake
(tell me about it given some recent events, this is still very fresh to me
:) ) and modified along the way. I tried to convey that in those sentences
in my original email, I am sorry if it was not clear enough, or made people
believe I was saying that the k-root servers were misbehaving.

> How do we ensure that those are not advertised outside of China so DNS
answers are not poisoned by the GFW?

> I don't believe this specific leak I am seeing is malicious, but rather
is just a misconfiguration and I really wonder how this could be
prevented/addressed early on.

Also, I would like to point out that I did not mean to make this a FB/WA
problem. Those names are just examples that highlighted the issue.

Thanks,

Manu


>
> Regards,
> Anand Buddhdev
> RIPE NCC
>
> On 08/11/2021 08:45, Davey Song wrote:
>
> > If it is urgent, I suggest the K root operator withdraw the route of the
> > instance in Guangzhou immediately.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211108/4ff50c21/attachment.html>


More information about the dns-operations mailing list