[dns-operations] [Ext] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Mon Nov 8 18:33:16 UTC 2021


On Mon, Nov 8, 2021 at 10:13 AM Paul Hoffman <paul.hoffman at icann.org> wrote:

> Did you investigate whether the impersonation persisted after the route
> leak was fixed? That is, if someone is impersonating K-root for the vantage
> points that you saw, they might be doing it all the time, not just when
> there is a known route leak. A route leak makes impersonation easier, but
> it is not a requirement.
>

That's a good point!

I just re-ran the measurements:

```
blaeu-resolve  -m 33234036 -q A d.ns.facebook.com
[] : 16 occurrences
[185.89.219.12] : 2 occurrences
Test #33234036 done at 2021-11-08T18:14:39Z
```


The 2 occurrences returning `185.89.219.12` are the ones I mentioned
earlier which seem to funnel everything to a local server. One of the
original probe did not participate.

Looking at server ids:

```
blaeu-resolve  -m 33234039 -q TXT id.server
["ns1.vn-han.k.ripe.net"] : 1 occurrences
["ns3.us-mia.k.ripe.net"] : 4 occurrences
["ns1.us-mia.k.ripe.net"] : 3 occurrences
["ns1.ru-led.k.ripe.net"] : 2 occurrences
["ns2.us-mia.k.ripe.net"] : 4 occurrences
[ERROR: NOTIMP] : 1 occurrences
["ns1.ch-gva.k.ripe.net"] : 1 occurrences
[ERROR: SERVFAIL] : 1 occurrences
["ns1.gb-lon.k.ripe.net"] : 1 occurrences
Test #33234039 done at 2021-11-08T18:15:35Z
```

The 4 originally impacted probes are going to MIA:
```
blaeu-resolve  -m 33234048  -q TXT id.server
["ns3.us-mia.k.ripe.net"] : 1 occurrences
["ns2.us-mia.k.ripe.net"] : 1 occurrences
["ns1.us-mia.k.ripe.net"] : 1 occurrences
Test #33234048 done at 2021-11-08T18:22:25Z
```

One of the original probes did not participate.

Manu

--Paul Hoffman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211108/f3b019bd/attachment.html>


More information about the dns-operations mailing list