<div dir="ltr"><div>Thanks Liman,<br><br>I really appreciate this bit of history/context.<br><br><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
First, just to re-iterate: I-root servers operated by Netnod responds to<br>
all DNS queries we can handle, as we receive them, with unaltered<br>
answers from the true root zone. Period. We are, at the moment, not<br>
aware of any servers outside of our control operating on I-roots<br>
IP-addresses.<br>
<br>
What happens to the DNS packets beyond the first upstream router is at<br>
best difficult, and in many cases impossible, for us to control, though.<br></blockquote><div><br>Yes, I am also going to re-iterate that this was not my intent to say that ${letter}.root was modifying those answers. But rather that a route leak was apparently happening and content changed on the way by saying:<br><br>> How do we ensure that those are not advertised outside of China so DNS answers are not poisoned by the GFW?<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
As Ray Bellis notes, we had a similar incident with the I-root node in<br>
Beijing back in 2010. It was fixed blindingly fast and with profuse<br>
apologies when we reported it to our site host. My experience is that<br>
Chinese authorities have no wish to inflict problems on clients outside<br>
China, and that whatever impersonation/leakage happens is indeed due to<br>
configuration errors on networking equipment.</blockquote><div><br>Also very much agreeing on this, and this was also my impression:<br>> I don't believe this specific leak I am seeing is malicious, but rather is just a misconfiguration and I really wonder how this could be prevented/addressed early on.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
There is no way to guarantee that any one ISP (inside China or not) does<br>
what you expect and hope with your BGP announcements and the traffic<br>
going to/from any server of yours (DNS root or other). Specifically, I<br>
expect that a country with more than a billion citizens has a network<br>
complexity of certain scale, which, in combination with the intricate<br>
large scale traffic filters, makes "playing" with NO_EXPORT even<br>
trickier than normal. Life with anycast is a constant challenge to<br>
deploy the right number of instances at the right points in topology in<br>
order to make the right thing happen given an existing budget.<br></blockquote><div><br>Agreed this is a tricky problem and as we see, history repeats itself, old problems become new again, mistakes will always happen, and it will probably be very difficult to avoid them moving forward, but if we could collectively come up with a way to monitor and detect such issues we will probably be in a better spot to act faster.<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
If you see any signs of problems with <a href="http://i.root-servers.net" rel="noreferrer" target="_blank">i.root-servers.net</a>, please report<br>
them without delay to <<a href="mailto:noc@netnod.se" target="_blank">noc@netnod.se</a>>. Every such report is of great<br>
value to us, as it helps us understand what our service looks like to<br>
you. These observations are important fixpoints in our continuous<br>
efforts to improve our service.<br></blockquote><div><br>I would definitely do it. It was very much luck though. The probabilities of ISP needing to go back to root to the impacted domains and choosing the affected one would have been pretty low. In this case, a particular ISP being impacted and having user reports, managing to reproduce it and eventually this got to us through partner channels which we ended up looking into and here I am bringing this up here so this does not get fixed in a silo but hopefully we can learn and be better prepared to detect those issues in the future. This would be beneficial to all letters and their users IMO.<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
And finally to each and every one of you:<br>
<br>
Please turn on validation in your resolvers and sign your zones. DNSSEC<br>
is your friend.<br></blockquote><div><br>Thanks Liman for the reminder. I appreciate you not making this the main point of your reply and kept on topic.<br><br>Manu</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Best regards,<br>
/Liman<br>
<a href="mailto:hostmaster@i.root-servers.net" target="_blank">hostmaster@i.root-servers.net</a><br>
<br>
#----------------------------------------------------------------------<br>
# Lars-Johan Liman, M.Sc. ! E-mail: <a href="mailto:liman@netnod.se" target="_blank">liman@netnod.se</a><br>
# Senior Systems Specialist ! Tel: +46 8 - 562 860 12<br>
# Netnod AB, Stockholm ! <a href="http://www.netnod.se/" rel="noreferrer" target="_blank">http://www.netnod.se/</a><br>
#----------------------------------------------------------------------<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>