<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 8, 2021 at 10:13 AM Paul Hoffman <<a href="mailto:paul.hoffman@icann.org">paul.hoffman@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Did you investigate whether the impersonation persisted after the route leak was fixed? That is, if someone is impersonating K-root for the vantage points that you saw, they might be doing it all the time, not just when there is a known route leak. A route leak makes impersonation easier, but it is not a requirement.<br></blockquote><div><br></div><div>That's a good point!<br><br>I just re-ran the measurements:<br><br>```<br>blaeu-resolve -m 33234036 -q A <a href="http://d.ns.facebook.com">d.ns.facebook.com</a><br>[] : 16 occurrences<br>[185.89.219.12] : 2 occurrences<br>Test #33234036 done at 2021-11-08T18:14:39Z<br>```<br><br></div><div><br>The 2 occurrences returning `185.89.219.12` are the ones I mentioned earlier which seem to funnel everything to a local server. One of the original probe did not participate.<br><br>Looking at server ids:<br><br>```<br>blaeu-resolve -m 33234039 -q TXT id.server<br>["<a href="http://ns1.vn-han.k.ripe.net">ns1.vn-han.k.ripe.net</a>"] : 1 occurrences<br>["<a href="http://ns3.us-mia.k.ripe.net">ns3.us-mia.k.ripe.net</a>"] : 4 occurrences<br>["<a href="http://ns1.us-mia.k.ripe.net">ns1.us-mia.k.ripe.net</a>"] : 3 occurrences<br>["<a href="http://ns1.ru-led.k.ripe.net">ns1.ru-led.k.ripe.net</a>"] : 2 occurrences<br>["<a href="http://ns2.us-mia.k.ripe.net">ns2.us-mia.k.ripe.net</a>"] : 4 occurrences<br>[ERROR: NOTIMP] : 1 occurrences<br>["<a href="http://ns1.ch-gva.k.ripe.net">ns1.ch-gva.k.ripe.net</a>"] : 1 occurrences<br>[ERROR: SERVFAIL] : 1 occurrences<br>["<a href="http://ns1.gb-lon.k.ripe.net">ns1.gb-lon.k.ripe.net</a>"] : 1 occurrences<br>Test #33234039 done at 2021-11-08T18:15:35Z<br>``` <br><br>The 4 originally impacted probes are going to MIA:<br>```<br>blaeu-resolve -m 33234048 -q TXT id.server<br>["<a href="http://ns3.us-mia.k.ripe.net">ns3.us-mia.k.ripe.net</a>"] : 1 occurrences<br>["<a href="http://ns2.us-mia.k.ripe.net">ns2.us-mia.k.ripe.net</a>"] : 1 occurrences<br>["<a href="http://ns1.us-mia.k.ripe.net">ns1.us-mia.k.ripe.net</a>"] : 1 occurrences<br>Test #33234048 done at 2021-11-08T18:22:25Z<br>```<br><br>One of the original probes did not participate.<br><br>Manu<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
--Paul Hoffman</blockquote></div></div>