F.ROOT-SERVERS.NET moved to Beijing?

Todd Underwood toddunder at gmail.com
Sun Oct 2 16:30:37 CDT 2011


leo, all,

in the past, name servers that operated inside of china were subject
to arbitrary rewriting or blocking of their results by the Great
Firewall.

this is obviously bad for Chinese citizens but it's *dramatically*
worse for people outside of china who end up reaching a root server in
china by mistake, no?  people who ostensibly live free of this kind of
interference and censorship are now subject to it by mistake.

a previous time this happened renesys did a good write up on it.

http://www.renesys.com/blog/2010/06/two-strikes-i-root.shtml

i guess my questions now are:

1) how long was this happening?
2) can any root server operator who serves data inside of china verify
that the data that they serve have not been rewritten by the great
firewall?
3) does ISC (or <Insert Root Operator Here>) have a plan for
monitoring route distribution to ensure that this doesn't happen again
(without prompt detection and mitigation)?

i'm not really singling out ISC here--this is a serious problem for
anyone who chooses to operate a root server node on untrustworthy or
malicious network infrastructure (which is one appropriate way of
thinking of a rewriting firewall from the perspective of a root server
operator).

cheers,

t

On Sun, Oct 2, 2011 at 3:08 PM, Leo Bicknell <bicknell at ufp.org> wrote:
> In a message written on Sun, Oct 02, 2011 at 05:40:23PM +0000, Janne Snabb wrote:
>> I happened to notice the following at three separate sites around
>> the US and one site in Europe:
>
> ISC has verified our PEK2 route was being leaked further than
> intended, and for the moment we have pulled the route until we can
> get confirmation from our partners that the problem has been resolved.
> Service should be back to normal, but if anyone is still having
> problems noc at isc.org will open a ticket.
>
> --
>       Leo Bicknell - bicknell at ufp.org - CCIE 3440
>        PGP keys at http://www.ufp.org/~bicknell/
>



More information about the NANOG mailing list