<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 9, 2021 at 12:39 AM Magnus Sandberg <<a href="mailto:mem@fallback.netnod.se">mem@fallback.netnod.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
As of this complexity (both on general network level and the GFW), I <br>
don't think of local DNS root instances in the way that an instance can <br>
be "country local".<br>
I don't see Internet routing and BGP as a binary thing at network level. <br>
Of cause the routing decision in a single router has to be "binary" to <br>
select next-hop, but on a larger scale you can't predict exact what will <br>
happen with your outgoing packets, as Liman wrote.<br></blockquote><div><br></div><div>Agreed that this is a complex beast :) and given it is complicated to predict exactly what will happen with outgoing packets, being able to verify expectations from external vantage points is at least a good way to confirm that things are operating as expected. I don't mean to have a solution and this is probably a decently difficult problem to solve, but I think it would go a long way.<br><br>Manu</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
Regards,<br>
// mem<br>
<br>
<br>
<br>
Den 2021-11-09 kl. 08:23, skrev Davey Song:<br>
> AFAIK, the root server instances in China are not expected to serve queries<br>
> outside of China. They are called local Root instances when they are<br>
> introduced.<br>
> <br>
> It is true as Liman said no one wishes to inflict problems on clients<br>
> outside China.<br>
> There are must be a network error I think which allows resolvers out of<br>
> China to reach it.<br>
> <br>
> Network errors always happen, so the old issues will happen again. Sad.<br>
> <br>
> Davey<br>
> <br>
> <br>
> On Mon, 8 Nov 2021 at 16:15, Anand Buddhdev <<a href="mailto:anandb@ripe.net" target="_blank">anandb@ripe.net</a>> wrote:<br>
> <br>
>> Hi Davey, Manu,<br>
>><br>
>> The server we operate in Guangzhou was indeed reachable from outside<br>
>> China. This is not the intention, of course. On Saturday, when we got<br>
>> notification about this, we withdrew the prefix from the server, and we<br>
>> are communicating with the host to solve this.<br>
>><br>
>> Many people have already said this, but I'd like to make it clear that<br>
>> the K-root server was NOT emitting false responses for Facebook and<br>
>> WhatsApp. The responses were being modified by something between the<br>
>> server and its clients.<br>
>><br>
>> Regards,<br>
>> Anand Buddhdev<br>
>> RIPE NCC<br>
>><br>
>> On 08/11/2021 08:45, Davey Song wrote:<br>
>><br>
>>> If it is urgent, I suggest the K root operator withdraw the route of the<br>
>>> instance in Guangzhou immediately.<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>