DURZ published in root - you ready?

Michael Sinatra michael at rancid.berkeley.edu
Mon Jan 25 02:49:22 CST 2010


On 01/24/10 18:53, Mark Andrews wrote:
> In message<202705b1001241834l5b1911bat97ee2130f632f002 at mail.gmail.com>, Jorge Amodio writes:
>> Good point, tomorrow/today we'll start seeing what gets broken and
>> hopefully why.
>>
>> Regards.
>> Jorge
>
> I don't expect to see much until the last root server (J) switches
> over.  DNS implemententations are remarkably robust at routing around
> percieved "damage".
>
> Week of 2010-05-03: J starts to serve DURZ

There's some evidence within the traffic to the authoritative servers 
for the now-signed berkeley.edu zone that answers from the authoritative 
servers are not being received by certain queriers.  These queriers, who 
are setting DO (and of course EDNS0) in their queries, are retrying the 
same queries until they reach the one "sacrificial lamb" server that is 
set to give out minimal answers and limit EDNS0 responses to 512 bytes 
(thereby frequently triggering failover to TCP for those minimal answers 
that still exceed 512 bytes).

It will be interesting to see how traffic patterns to the various root 
servers evolve as more servers get the DURZ.

Also, I got my first apparently DNSSEC-related "your server is attacking 
me" notice.  It was little more than a log snippet that indicated that a 
UCB authoritative server was perpetrating a "big bomb" attack on a 
system behind this firewall.  "Big bomb" is a notification from Netgear 
firewalls and CPE routers.  Not sure how much activity the abuse 
contacts for the various rootops netblocks get, but you'll probably see 
more.

michael




More information about the NANOG mailing list