Mark Andrews
Mon May 21 09:10:19 UTC 2007

In article <20070521081322.GA741 at> you write:
>On Sun, May 20, 2007 at 09:25:37PM -0700,
> Roger Marquis <marquis at> wrote 
> a message of 15 lines which said:
>> >If not, have any root nameservers been hacked?
>> To partly answer my own question, no.
>I cannot find the original message in my mailbox. (Not on NANOG
>mailing list archives.) What was the issue?
>> The data returned by root (gtld) nameservers is not changing
>> rapidly.
>Now, I understand nothing. Is there a problem with the root
>nameservers or with some gTLD nameservers???

	There isn't a problem with the root or tld servers.

	There is a problem with the server for these zones.
	They don't speak RFC 1034, hence the error messages
	about garbage responses.

	Note the answer doesn't match the question.

; <<>> DiG 9.5.0a2 <<>> @ +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36800
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;               IN      A

;; ANSWER SECTION:            0       IN      A

;; Query time: 212 msec
;; WHEN: Mon May 21 19:05:58 2007
;; MSG SIZE  rcvd: 60

	There is a problem with the whole delegation process in
	that no one involved in the delegation seems to care that
	absolute garbage is being injected into the DNS.  A few
	simple checks, like above, would have show that the servers
	were not RFC 1034 compliant.  That the glue was not a copy
	of the records in the child zone.  The parent *is* required
	by RFC 1034 to check this.

	RFC 1034, 4.2.2. Administrative considerations, paragraph 3.

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.

	These zones should be pulled.


