[dns-operations] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Tue Nov 9 20:02:33 UTC 2021


Hi Davey,

On Mon, Nov 8, 2021 at 11:30 PM Davey Song <songlinjian at gmail.com> wrote:

> AFAIK, the root server instances in China are not expected to serve
> queries
> outside of China.
>

agreed


> They are called local Root instances when they are introduced.
>

 Yeah, so it seems there is a mixture of Global and Local in China
currently, but I would bet the Local/Global terms as defined in
https://root-servers.org/faq/ don't apply in term of geopolitics.

Currently, it seems there is both Local and Global, the affected server was
actually "Local" AFAICT:
```
# https://gist.github.com/chantra/db90d97ebe3936742158fb57b5dd3221
~/root_servers.py --country CN --site-type Global --site-type Local
F:
        Beijing (Local)
        Chongqing (Local)
        Hangzhou (Local)
        Xining Caojiabu (Local)
I:
        Beijing (Global)
        Hong Kong (Global)
J:
        Beijing (Global)
        Hangzhou (Global)
K:
        Beijing (Local)
        Guangzhou (Local) << this one
        Guiyang (Global)
L:
        Beijing (Global)
        Beijing (Global)
        Beijing (Global)
        Beijing (Global)
        Haikou (Global)
        Shanghai (Global)
        Wuhan (Global)
        Wuhan (Global)
        Xining (Global)
        Xining (Global)
        Zhengzhou (Global)
        Zhengzhou (Global)
 ```


>
> It is true as Liman said no one wishes to inflict problems on clients
> outside China.
>

Understood and assumed so.


> There are must be a network error I think which allows resolvers out of
> China to reach it.
>
> Network errors always happen, so the old issues will happen again. Sad.
>

As you said (and multiple of us have said on this thread), there was and
there very likely will be again issues of this type. But that does not mean
that we should take that fate for granted and having the right monitoring
in place to avoid similar issue (or at least prolonged issues) in the
future will be likely go a long way rather than having some anecdotal
reports.

Manu


> Davey
>
>
> On Mon, 8 Nov 2021 at 16:15, Anand Buddhdev <anandb at ripe.net> wrote:
>
>> Hi Davey, Manu,
>>
>> The server we operate in Guangzhou was indeed reachable from outside
>> China. This is not the intention, of course. On Saturday, when we got
>> notification about this, we withdrew the prefix from the server, and we
>> are communicating with the host to solve this.
>>
>> Many people have already said this, but I'd like to make it clear that
>> the K-root server was NOT emitting false responses for Facebook and
>> WhatsApp. The responses were being modified by something between the
>> server and its clients.
>>
>> Regards,
>> Anand Buddhdev
>> RIPE NCC
>>
>> On 08/11/2021 08:45, Davey Song wrote:
>>
>> > If it is urgent, I suggest the K root operator withdraw the route of the
>> > instance in Guangzhou immediately.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211109/50496139/attachment.html>


More information about the dns-operations mailing list