Couple of comments to the ALAC (open) list might be useful. First from Patrick Vande Walle, ALAC liaison to the SSAC, second from James Seng (known I think to most -- good guy.) At 4:39 PM +0200 3/28/10, Patrick Vande Walle wrote: > > >http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-fudging-root-zone-records/1269642342 > >To summarize: last week, an anycast instance of >the I root server stated exhibiting a strange >behaviour. Some replies appeared to be spoofed. > >Autonomica, the Swedish company managing the I >root, claims their anycast instance in China is >identical to the other instances they have >around the world. In other words, they serve the >same root zone, not something that would be >"adapted" to the Chinese Internet regulations. >CNNIC, on their side, say they are just >supplying the power and the bandwidth. > >There is a lively discussion on the origin of >this malfunction on the SSAC list. Opinions >differ, but the research is going on. However, >some raised the issue of the accountability of >root server operators, and the fact that the >absence of a contractual framework (minus >L-root) between them and ICANN means that no-one >is able to formally complain and seek redress. >It is all a question of good faith and >willingness on the side of the rootops. > >I think indeed that ICANN will have to think >about a contractual framework with the root zone >operators in the future, along the lines of the >registry agreements. After all, the Internet >users deserve the same level of service from the >root that they get from gTLD operators. I am not >saying that the rootops have done a bad job. >Quite the contrary. They have done an >outstanding volunteer job. However, there >should be a mechanism to replace a root operator >that fails for whatever reason. > >-- >Patrick Vande Walle >Blog: http://patrick.vande-walle.eu >Twitter: http://twitter.vande-walle.eu >Facebook: http://facebook.vande-walle.eu At 12:32 PM +0800 3/29/10, James Seng wrote: > >I am sort of involved in this right now so I cannot talk too much >about it right now. > >But by now, it is clear to me that > >1/ CNNIC is not responsible for this; They definitely did not mess >with the server. > >2/ The ISP which messed with the DNS packet is notified and the >behavior has stopped. All indication so far it is an honest human >mistake. > >3/ This problem has high level attention. > >-James Seng > Hope this helps, Adam At 11:53 AM +0300 3/29/10, McTim wrote: >Robin, > >On Mon, Mar 29, 2010 at 8:21 AM, Robin Gross <[log in to unmask]> wrote: >> I'd like to learn more about the implications for censorship in this recent >> episode with the Chinese root server and NIC server in Chile. Any DNS >> experts provide any guidance? > >What exactly do you want to know? > >This behaviour has been observed previously from root instances in >China. It's part of the GFW of China. It's not limited to queries >from Chile, they were just the first to report and document this >episode. > >-- >Cheers, > >McTim >"A name indicates what we seek. An address indicates where it is. A >route indicates how we get there." Jon Postel > > > > > > > >> Thanks, >> Robin >> >>http://www.itworld.com/networking/102576/after-dns-problem-chinese-root-server-shut-down >> After DNS problem, Chinese root server is shut down >> >> The server is thought to have extended Chinese filtering technology to Chile >> and the US >> >> by Robert McMillan >> March 26, 2010, 08:10 PM ‹ IDG News Service ‹ >> >> A China-based root DNS server associated with networking problems in Chile >> and the U.S. has been disconnected from the Internet. >> >> The action by the server's operator, Netnod, appears to have resolved a >> problem that was causing some Internet sites to be inadvertently censored by >> a system set up in the People's Republic of China. >> >> On Wednesday, operators at NIC Chile noticed that several ISPs (Internet >> service providers) were providing faulty DNS information, apparently derived > > from China. China uses the DNS system to enforce Internet censorship on its >> so-called Great Firewall of China, and the ISPs were using this incorrect >> DNS information. >> >> That meant that users of the network trying to visit Facebook, Twitter and >> YouTube were directed to Chinese computers instead. >> >> In Chile, ISPs VTR, Telmex and several others -- all of them customers of >> upstream provider Global Crossing -- were affected, NIC Chile said in a >> statement on Friday. The problem, first publicly reported on Wednesday, >> appears to have persisted for a few days before it was made public, the >> statement says. >> >> A NIC Chile server in California was also hit with the problem, NIC Chile >> said. While it's not clear how this server was getting the bad DNS >> information, it came via either Network Solutions or Equinix, according to >> NIC Chile. >> >> Network Solutions wasn't to blame as it does not offer backbone provider >> services to NIC Chile, said Rick Wilhelm, the company's vice president of >> engineering. Equinix and Global Crossing could not immediately be reached >> for comment. >> >> Netnod, which maintains a copy of its root DNS server in China, has now >> "withdrawn route announcements" made by the server, according to company CEO >> Kurt Lindqvist. This effectively disconnects the server from the Internet. >> In an e-mail interview, Lindqvist said he could not recall when his company >> took this action. >> >> Netnod insists that its server did not contain the bad data that redirected >> Internet traffic, and security experts agree, saying that its data was >> probably being altered by the Chinese government somewhere on China's >> network, in order to enforce the country's Great Firewall. >> >> >> >> >> IP JUSTICE >> Robin Gross, Executive Director >> 1192 Haight Street, San Francisco, CA 94117 USA >> p: +1-415-553-6261 f: +1-415-462-6451 >> w: http://www.ipjustice.org e: [log in to unmask] >> >> >>