Netnod -- Bad DNS information wasn't our fault

Netnod, the Swedish service provider that maintains the Chinese root server associated with some dodgy Great-Firewall-of-China-style DNS info last week, has released a detailed statement on what they're doing about the issue.

For some reason, networks in Chile and the U.S. began looking to Netnod's China-based root server as authoritative, and that led to bogus responses for domains like Twitter and Facebook, similar to what one would get within China.

Bottom line today: the server is still offline, and we still don't know what happened. Netnod stresses that their data was good, and I believe them. It seems completely believable that the bad DNS information was somehow being inserted in transit. But why did it leak out?

Here's Netnod's statement, via CEO Kurt Erik Lindqvist,

As operators of i.root-servers.net, one of Internet's 13 DNS root

server systems, we would like to make the following statement

regarding the incident on March 24, where queries to the

i.root-servers.net instance in Beijing regarding certain domain names,

in some cases ostensibly produced incorrect responses.

*) Netnod/Autonomica is 100% committed to serving the root zone DNS

data as published by the IANA. We have made a clear and public

declaration of this, and we guarantee that the responses sent out

by any i.root-servers.net instance consist of the appropriate data

in the IANA root zone.

Furthermore, the identity of the source of the query does not in

any way affect the way a certain query is treated by

i.root-servers.net.

http://www.netnod.se/pdf_files/autonomica-signed-mri.pdf

http://www.icann.com/correspondence/lindqvist-to-twomey-08may09-en.pdf

There was no deviation on our part from this principle on March 24.

*) Once we had determined that the incorrect replies were associated with

 queries sent to our anycast node in Beijing, and we had performed some testing, we

withdrew the announcements of the i.root-servers.net service from

that location. That withdrawal remains in effect.

*) Our root server instance in Beijing, China, has *NO* special

properties that makes it different from any other instance of

i.root-servers.net. For every query it receives, a response is sent

out - a response that contains exactly the same data that any other

instance of i.root-servers.net would send out in response to the

same question.

*) We see no traces what so ever of non-Netnod/Autonomica activities on our

machines in Beijing, nor do we see any traces of malfunctioning

hardware or software on said machines.

*) As packets traverse the Internet they cross multiple service

providers, that all have access to the packets. It's impossible for

a sender to guarantee that a packet arrives as sent unless some

sort of packet content integrity mechanism is applied. In the case of DNS,

this is called DNSSEC. Had the responses to the queries been signed

with DNSSEC, and had the DNSSEC protocol been observed in the

recipient end, it would have been obvious to the recipient that the

data received was not the data published by the zone maintainers.

We also note that the use of authenticated network resource public

key infrastructure systems (RPKI) would not have helped in this

situation, as we have no reason to believe that any ISP has sent

incorrect routing information to any other ISP in this case.

We would also like to stress that the incorrect responses were ONLY

seen in response to some (but not all) queries sent towards the

i.root-servers.net instance in Beijing. We have no reports that

indicate problems with any other i.root-servers.net instance than

Beijing.

*) We are working with CNNIC, who host our installation in Beijing, to

find an explanation for the observed behaviour, and we maintain

full confidence in our host's good intentions in providing the best

of service to us and to the Internet in general.

*) We will work with CNNIC on a way to re-establish service from

Beijing in a stable and secure manner, once we know more about the

cause of the problems seen, and feel comfortable that the situation

has been rectified.

We will produce further statements as we believe we have authoritative

information

Related:

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful cybersecurity companies