DURZ published in root - you ready?
michael at rancid.berkeley.edu
Mon Jan 25 08:49:22 UTC 2010
On 01/24/10 18:53, Mark Andrews wrote:
> In message<202705b1001241834l5b1911bat97ee2130f632f002 at mail.gmail.com>, Jorge Amodio writes:
>> Good point, tomorrow/today we'll start seeing what gets broken and
>> hopefully why.
> I don't expect to see much until the last root server (J) switches
> over. DNS implemententations are remarkably robust at routing around
> percieved "damage".
> Week of 2010-05-03: J starts to serve DURZ
There's some evidence within the traffic to the authoritative servers
for the now-signed berkeley.edu zone that answers from the authoritative
servers are not being received by certain queriers. These queriers, who
are setting DO (and of course EDNS0) in their queries, are retrying the
same queries until they reach the one "sacrificial lamb" server that is
set to give out minimal answers and limit EDNS0 responses to 512 bytes
(thereby frequently triggering failover to TCP for those minimal answers
that still exceed 512 bytes).
It will be interesting to see how traffic patterns to the various root
servers evolve as more servers get the DURZ.
Also, I got my first apparently DNSSEC-related "your server is attacking
me" notice. It was little more than a log snippet that indicated that a
UCB authoritative server was perpetrating a "big bomb" attack on a
system behind this firewall. "Big bomb" is a notification from Netgear
firewalls and CPE routers. Not sure how much activity the abuse
contacts for the various rootops netblocks get, but you'll probably see
More information about the NANOG