[dns-operations] K-root in CN leaking outside of CN

Manu Bretelle chantr4 at gmail.com
Tue Nov 9 20:12:12 UTC 2021 

On Tue, Nov 9, 2021 at 12:39 AM Magnus Sandberg <mem at fallback.netnod.se>
wrote:

>
>
> As of this complexity (both on general network level and the GFW), I
> don't think of local DNS root instances in the way that an instance can
> be "country local".
> I don't see Internet routing and BGP as a binary thing at network level.
> Of cause the routing decision in a single router has to be "binary" to
> select next-hop, but on a larger scale you can't predict exact what will
> happen with your outgoing packets, as Liman wrote.
>

Agreed that this is a complex beast :) and given it is complicated to
predict exactly what will happen with outgoing packets, being able to
verify expectations from external vantage points is at least a good way to
confirm that things are operating as expected. I don't mean to have a
solution and this is probably a decently difficult problem to solve, but I
think it would go a long way.

Manu


>
> Regards,
> // mem
>
>
>
> Den 2021-11-09 kl. 08:23, skrev Davey Song:
> > AFAIK, the root server instances in China are not expected to serve
> queries
> > outside of China. They are called local Root instances when they are
> > introduced.
> >
> > It is true as Liman said no one wishes to inflict problems on clients
> > outside China.
> > There are must be a network error I think which allows resolvers out of
> > China to reach it.
> >
> > Network errors always happen, so the old issues will happen again. Sad.
> >
> > Davey
> >
> >
> > On Mon, 8 Nov 2021 at 16:15, Anand Buddhdev <anandb at ripe.net> wrote:
> >
> >> Hi Davey, Manu,
> >>
> >> The server we operate in Guangzhou was indeed reachable from outside
> >> China. This is not the intention, of course. On Saturday, when we got
> >> notification about this, we withdrew the prefix from the server, and we
> >> are communicating with the host to solve this.
> >>
> >> Many people have already said this, but I'd like to make it clear that
> >> the K-root server was NOT emitting false responses for Facebook and
> >> WhatsApp. The responses were being modified by something between the
> >> server and its clients.
> >>
> >> Regards,
> >> Anand Buddhdev
> >> RIPE NCC
> >>
> >> On 08/11/2021 08:45, Davey Song wrote:
> >>
> >>> If it is urgent, I suggest the K root operator withdraw the route of
> the
> >>> instance in Guangzhou immediately.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211109/192727a8/attachment.html>

More information about the dns-operations mailing list