Chinese root server is shut down - DNS and censorship
Adam Peake
ajp at GLOCOM.AC.JP
Mon Mar 29 11:20:48 CEST 2010
Couple of comments to the ALAC (open) list might be useful.
First from Patrick Vande Walle, ALAC liaison to
the SSAC, second from James Seng (known I think
to most -- good guy.)
At 4:39 PM +0200 3/28/10, Patrick Vande Walle wrote:
>
>
>http://www.betanews.com/article/With-three-months-to-go-to-DNSSEC-someones-fudging-root-zone-records/1269642342
>
>To summarize: last week, an anycast instance of
>the I root server stated exhibiting a strange
>behaviour. Some replies appeared to be spoofed.
>
>Autonomica, the Swedish company managing the I
>root, claims their anycast instance in China is
>identical to the other instances they have
>around the world. In other words, they serve the
>same root zone, not something that would be
>"adapted" to the Chinese Internet regulations.
>CNNIC, on their side, say they are just
>supplying the power and the bandwidth.
>
>There is a lively discussion on the origin of
>this malfunction on the SSAC list. Opinions
>differ, but the research is going on. However,
>some raised the issue of the accountability of
>root server operators, and the fact that the
>absence of a contractual framework (minus
>L-root) between them and ICANN means that no-one
>is able to formally complain and seek redress.
>It is all a question of good faith and
>willingness on the side of the rootops.
>
>I think indeed that ICANN will have to think
>about a contractual framework with the root zone
>operators in the future, along the lines of the
>registry agreements. After all, the Internet
>users deserve the same level of service from the
>root that they get from gTLD operators. I am not
>saying that the rootops have done a bad job.
>Quite the contrary. They have done an
>outstanding volunteer job. However, there
>should be a mechanism to replace a root operator
>that fails for whatever reason.
>
>--
>Patrick Vande Walle
>Blog: http://patrick.vande-walle.eu
>Twitter: http://twitter.vande-walle.eu
>Facebook: http://facebook.vande-walle.eu
At 12:32 PM +0800 3/29/10, James Seng wrote:
>
>I am sort of involved in this right now so I cannot talk too much
>about it right now.
>
>But by now, it is clear to me that
>
>1/ CNNIC is not responsible for this; They definitely did not mess
>with the server.
>
>2/ The ISP which messed with the DNS packet is notified and the
>behavior has stopped. All indication so far it is an honest human
>mistake.
>
>3/ This problem has high level attention.
>
>-James Seng
>
Hope this helps,
Adam
At 11:53 AM +0300 3/29/10, McTim wrote:
>Robin,
>
>On Mon, Mar 29, 2010 at 8:21 AM, Robin Gross <robin at ipjustice.org> wrote:
>> I'd like to learn more about the implications for censorship in this recent
>> episode with the Chinese root server and NIC server in Chile. Any DNS
>> experts provide any guidance?
>
>What exactly do you want to know?
>
>This behaviour has been observed previously from root instances in
>China. It's part of the GFW of China. It's not limited to queries
>from Chile, they were just the first to report and document this
>episode.
>
>--
>Cheers,
>
>McTim
>"A name indicates what we seek. An address indicates where it is. A
>route indicates how we get there." Jon Postel
>
>
>
>
>
>
>
>> Thanks,
>> Robin
>>
>>http://www.itworld.com/networking/102576/after-dns-problem-chinese-root-server-shut-down
>> After DNS problem, Chinese root server is shut down
>>
>> The server is thought to have extended Chinese filtering technology to Chile
>> and the US
>>
>> by Robert McMillan
>> March 26, 2010, 08:10 PM IDG News Service
>>
>> A China-based root DNS server associated with networking problems in Chile
>> and the U.S. has been disconnected from the Internet.
>>
>> The action by the server's operator, Netnod, appears to have resolved a
>> problem that was causing some Internet sites to be inadvertently censored by
>> a system set up in the People's Republic of China.
>>
>> On Wednesday, operators at NIC Chile noticed that several ISPs (Internet
>> service providers) were providing faulty DNS information, apparently derived
> > from China. China uses the DNS system to enforce Internet censorship on its
>> so-called Great Firewall of China, and the ISPs were using this incorrect
>> DNS information.
>>
>> That meant that users of the network trying to visit Facebook, Twitter and
>> YouTube were directed to Chinese computers instead.
>>
>> In Chile, ISPs VTR, Telmex and several others -- all of them customers of
>> upstream provider Global Crossing -- were affected, NIC Chile said in a
>> statement on Friday. The problem, first publicly reported on Wednesday,
>> appears to have persisted for a few days before it was made public, the
>> statement says.
>>
>> A NIC Chile server in California was also hit with the problem, NIC Chile
>> said. While it's not clear how this server was getting the bad DNS
>> information, it came via either Network Solutions or Equinix, according to
>> NIC Chile.
>>
>> Network Solutions wasn't to blame as it does not offer backbone provider
>> services to NIC Chile, said Rick Wilhelm, the company's vice president of
>> engineering. Equinix and Global Crossing could not immediately be reached
>> for comment.
>>
>> Netnod, which maintains a copy of its root DNS server in China, has now
>> "withdrawn route announcements" made by the server, according to company CEO
>> Kurt Lindqvist. This effectively disconnects the server from the Internet.
>> In an e-mail interview, Lindqvist said he could not recall when his company
>> took this action.
>>
>> Netnod insists that its server did not contain the bad data that redirected
>> Internet traffic, and security experts agree, saying that its data was
>> probably being altered by the Chinese government somewhere on China's
>> network, in order to enforce the country's Great Firewall.
>>
>>
>>
>>
>> IP JUSTICE
>> Robin Gross, Executive Director
>> 1192 Haight Street, San Francisco, CA 94117 USA
>> p: +1-415-553-6261 f: +1-415-462-6451
>> w: http://www.ipjustice.org e: robin at ipjustice.org
>>
>>
>>
More information about the Ncuc-discuss
mailing list