John R Levine <jo...@taugh.com> wrote: > > > This happens in China (on CERNET I believe): there are a set of root > > > mirrors that hijack most (but not all) of the root IPs. As far as we > > > can tell, the servers are legitimate, returning the proper responses, > > > except that the mirror servers don't support DNSSEC. > > > > Those are unusual meanings for "legitimate" and "proper responses"! > > Given the extensive use of anycast, these days one has only the vaguest > idea of who's answering any particular query. But if DNSSEC says it's > good, why do you care?
In the case of these servers, DNSSEC says it is bad, so it is a DoS. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fitzroy: West or southwest 5 to 7, occasionally gale 8. Rough at first in east, otherwise very rough or high. Thundery showers. Good occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
