[dns-wg] [mat-wg] NSID option on the RIPE Atlas SOA measurements of the root servers
Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jul 24 10:02:51 CEST 2017
On Thu, Jul 20, 2017 at 02:20:39PM +0200, Chris Amin <camin at ripe.net> wrote a message of 90 lines which said: > it would be useful to have SOA queries from all probes with the NSID > EDNS option set, in order to be able to match up responses with the > particular responding instances It is also useful to detect rogue root name servers (quite common with anycast) or transparent DNS proxies. (Measurement #9209448 finds several probes asking a rogue L-root, which has no NSID support, or located behind a middlebox which strips NSID. Check probes 23621,19770, 24890, 26328, 27059, 27080, 27843, 33806, 21570,14272, 13660, 17775, 17841, 26587, 30847, 11410, 23438, 29814, 13719, 21140, 25189, 25197. For some, the SOA serial number is so old that it is probably a rogue root name server. Also, one probe, 28846, finds a server replying with an abnormal NSID, which is not the normal from L-root.) > 1) Enable the NSID option for the existing built-in measurements > towards the nine root servers which support it. Why one these? Activating it for all servers would help if the last non-NSID servers switch suddenly to NSID. And it would also be useful to find rogue servers if they have NSID enabled (probe 28846 is behind a proxy which always add dummy NSID replies).
[ dns-wg Archives ]