Chinese root server is shut down - DNS and censorship

Adam Peake ajp at GLOCOM.AC.JP
Mon Mar 29 11:20:48 CEST 2010


Couple of comments to the ALAC (open) list might be useful.

First from Patrick Vande Walle, ALAC liaison to 
the SSAC, second from James Seng (known I think 
to most -- good guy.)


At 4:39 PM +0200 3/28/10, Patrick Vande Walle wrote:
>
>
>http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-fudging-root-zone-records/1269642342
>
>To summarize: last week, an anycast instance of 
>the I root server stated exhibiting a strange 
>behaviour. Some replies appeared to be spoofed.
>
>Autonomica, the Swedish company managing the I 
>root, claims their anycast instance in China is 
>identical to the other instances they have 
>around the world. In other words, they serve the 
>same root zone, not something that would be 
>"adapted" to the Chinese Internet regulations. 
>CNNIC, on their side, say they are just 
>supplying the power and the bandwidth.
>
>There is a lively discussion on the origin of 
>this malfunction on the SSAC list. Opinions 
>differ, but the research is going on. However, 
>some raised the issue of the accountability of 
>root server operators, and the fact that the 
>absence of a contractual framework (minus 
>L-root) between them and ICANN means that no-one 
>is able to formally complain and seek redress. 
>It is all a question of good faith and 
>willingness on the side of the rootops.
>
>I think indeed that ICANN will have to think 
>about a contractual framework with the root zone 
>operators in the future, along the lines of the 
>registry agreements. After all, the Internet 
>users deserve the same level of service from the 
>root that they get from gTLD operators. I am not 
>saying that the rootops have done a bad job. 
>Quite the contrary. They have done an 
>outstanding  volunteer job. However, there 
>should be a mechanism to replace a root operator 
>that fails for whatever reason.
>
>--
>Patrick Vande Walle
>Blog: http://patrick.vande-walle.eu
>Twitter: http://twitter.vande-walle.eu
>Facebook: http://facebook.vande-walle.eu



At 12:32 PM +0800 3/29/10, James Seng wrote:
>
>I am sort of involved in this right now so I cannot talk too much
>about it right now.
>
>But by now, it is clear to me that
>
>1/ CNNIC is not responsible for this; They definitely did not mess
>with the server.
>
>2/ The ISP which messed with the DNS packet is notified and the
>behavior has stopped. All indication so far it is an honest human
>mistake.
>
>3/ This problem has high level attention.
>
>-James Seng
>


Hope this helps,

Adam


At 11:53 AM +0300 3/29/10, McTim wrote:
>Robin,
>
>On Mon, Mar 29, 2010 at 8:21 AM, Robin Gross <robin at ipjustice.org> wrote:
>>  I'd like to learn more about the implications for censorship in this recent
>>  episode with the Chinese root server and NIC server in Chile.    Any DNS
>>  experts provide any guidance?
>
>What exactly do you want to know?
>
>This behaviour has been observed previously from root instances in
>China.  It's part of the GFW of China.  It's not limited to queries
>from Chile, they were just the first to report and document this
>episode.
>
>--
>Cheers,
>
>McTim
>"A name indicates what we seek. An address indicates where it is. A
>route indicates how we get there."  Jon Postel
>
>
>
>
>
>
>
>>  Thanks,
>>  Robin
>> 
>>http://www.itworld.com/networking/102576/after-dns-problem-chinese-root-server-shut-down
>>  After DNS problem, Chinese root server is shut down
>>
>>  The server is thought to have extended Chinese filtering technology to Chile
>>  and the US
>>
>>  by Robert McMillan
>>  March 26, 2010, 08:10 PM ‹  IDG News Service ‹
>>
>>  A China-based root DNS server associated with networking problems in Chile
>>  and the U.S. has been disconnected from the Internet.
>>
>>  The action by the server's operator, Netnod, appears to have resolved a
>>  problem that was causing some Internet sites to be inadvertently censored by
>>  a system set up in the People's Republic of China.
>>
>>  On Wednesday, operators at NIC Chile noticed that several ISPs (Internet
>>  service providers) were providing faulty DNS information, apparently derived
>  > from China. China uses the DNS system to enforce Internet censorship on its
>>  so-called Great Firewall of China, and the ISPs were using this incorrect
>>  DNS information.
>>
>>  That meant that users of the network trying to visit Facebook, Twitter and
>>  YouTube were directed to Chinese computers instead.
>>
>>  In Chile, ISPs VTR, Telmex and several others -- all of them customers of
>>  upstream provider Global Crossing -- were affected, NIC Chile said in a
>>  statement on Friday. The problem, first publicly reported on Wednesday,
>>  appears to have persisted for a few days before it was made public, the
>>  statement says.
>>
>>  A NIC Chile server in California was also hit with the problem, NIC Chile
>>  said. While it's not clear how this server was getting the bad DNS
>>  information, it came via either Network Solutions or Equinix, according to
>>  NIC Chile.
>>
>>  Network Solutions wasn't to blame as it does not offer backbone provider
>>  services to NIC Chile, said Rick Wilhelm, the company's vice president of
>>  engineering. Equinix and Global Crossing could not immediately be reached
>>  for comment.
>>
>>  Netnod, which maintains a copy of its root DNS server in China, has now
>>  "withdrawn route announcements" made by the server, according to company CEO
>>  Kurt Lindqvist. This effectively disconnects the server from the Internet.
>>  In an e-mail interview, Lindqvist said he could not recall when his company
>>  took this action.
>>
>>  Netnod insists that its server did not contain the bad data that redirected
>>  Internet traffic, and security experts agree, saying that its data was
>>  probably being altered by the Chinese government somewhere on China's
>>  network, in order to enforce the country's Great Firewall.
>>
>>
>>
>>
>>  IP JUSTICE
>>  Robin Gross, Executive Director
>>  1192 Haight Street, San Francisco, CA  94117  USA
>>  p: +1-415-553-6261    f: +1-415-462-6451
>>  w: http://www.ipjustice.org     e: robin at ipjustice.org
>>
>>
>>


More information about the Ncuc-discuss mailing list