Netnod, the Swedish service provider that maintains the Chinese root server associated with some dodgy Great-Firewall-of-China-style DNS info last week, has released a detailed statement on what they’re doing about the issue. For some reason, networks in Chile and the U.S. began looking to Netnod’s China-based root server as authoritative, and that led to bogus responses for domains like Twitter and Facebook, similar to what one would get within China.Bottom line today: the server is still offline, and we still don’t know what happened. Netnod stresses that their data was good, and I believe them. It seems completely believable that the bad DNS information was somehow being inserted in transit. But why did it leak out?Here’s Netnod’s statement, via CEO Kurt Erik Lindqvist, As operators of i.root-servers.net, one of Internet’s 13 DNS rootserver systems, we would like to make the following statementregarding the incident on March 24, where queries to thei.root-servers.net instance in Beijing regarding certain domain names,in some cases ostensibly produced incorrect responses.*) Netnod/Autonomica is 100% committed to serving the root zone DNSdata as published by the IANA. We have made a clear and publicdeclaration of this, and we guarantee that the responses sent outby any i.root-servers.net instance consist of the appropriate datain the IANA root zone.Furthermore, the identity of the source of the query does not inany way affect the way a certain query is treated byi.root-servers.net.http://www.netnod.se/pdf_files/autonomica-signed-mri.pdfhttp://www.icann.com/correspondence/lindqvist-to-twomey-08may09-en.pdfThere was no deviation on our part from this principle on March 24.*) Once we had determined that the incorrect replies were associated with queries sent to our anycast node in Beijing, and we had performed some testing, wewithdrew the announcements of the i.root-servers.net service fromthat location. That withdrawal remains in effect.*) Our root server instance in Beijing, China, has *NO* specialproperties that makes it different from any other instance ofi.root-servers.net. For every query it receives, a response is sentout – a response that contains exactly the same data that any otherinstance of i.root-servers.net would send out in response to thesame question.*) We see no traces what so ever of non-Netnod/Autonomica activities on ourmachines in Beijing, nor do we see any traces of malfunctioninghardware or software on said machines.*) As packets traverse the Internet they cross multiple serviceproviders, that all have access to the packets. It’s impossible fora sender to guarantee that a packet arrives as sent unless somesort of packet content integrity mechanism is applied. In the case of DNS,this is called DNSSEC. Had the responses to the queries been signedwith DNSSEC, and had the DNSSEC protocol been observed in therecipient end, it would have been obvious to the recipient that thedata received was not the data published by the zone maintainers.We also note that the use of authenticated network resource publickey infrastructure systems (RPKI) would not have helped in thissituation, as we have no reason to believe that any ISP has sentincorrect routing information to any other ISP in this case.We would also like to stress that the incorrect responses were ONLYseen in response to some (but not all) queries sent towards thei.root-servers.net instance in Beijing. We have no reports thatindicate problems with any other i.root-servers.net instance thanBeijing.*) We are working with CNNIC, who host our installation in Beijing, tofind an explanation for the observed behaviour, and we maintainfull confidence in our host’s good intentions in providing the bestof service to us and to the Internet in general.*) We will work with CNNIC on a way to re-establish service fromBeijing in a stable and secure manner, once we know more about thecause of the problems seen, and feel comfortable that the situationhas been rectified.We will produce further statements as we believe we have authoritativeinformation Related content opinion Direct Marketing Association on information security: Be safe By Robert McMillan Apr 08, 2011 3 mins Data and Information Security opinion As violence escalates, Libya cuts off the Internet By Robert McMillan Feb 18, 2011 2 mins Core Java opinion An FBI backdoor in OpenBSD? By Robert McMillan Dec 15, 2010 5 mins Data and Information Security opinion Congressional candidate says Democrats leaked his Social Security number By Robert McMillan Sep 28, 2010 1 min Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe