Naturally C root is fine on HE over IPv4, the issue is with IPv6. 2001:500:2::c is not reachable over HE.
-Cynthia On Sun, Jun 18, 2023 at 8:10 PM <niels=na...@bakker.net> wrote: > > * na...@as397444.net (Matt Corallo) [Sun 18 Jun 2023, 19:12 CEST]: > >If its not useful, please describe a mechanism by which an average > >recursive resolver can be protected against someone hijacking C root > >on Hurricane Electric (which doesn't otherwise have the announcement > >at all, last I heard) and responding with bogus data? > > No comment on DNSSEC but lg.he.net indicates that they do in fact > carry a route to C-root: > --- > 1 76 ms * * port-channel2.core2.pao1.he.net (72.52.92.65) > 2 44 ms 63 ms 78 ms palo-b24-link.ip.twelve99.net (195.12.255.209) > 3 55 ms 66 ms 103 ms cogent-ic-344188.ip.twelve99-cust.net > (62.115.174.65) > 4 74 ms 57 ms 120 ms be2431.ccr41.sjc03.atlas.cogentco.com > (154.54.88.189) > 5 142 ms 99 ms 79 ms be3142.ccr21.sjc01.atlas.cogentco.com > (154.54.1.193) > 6 53 ms 75 ms 111 ms be3176.ccr41.lax01.atlas.cogentco.com > (154.54.31.189) > 7 82 ms 133 ms 85 ms te0-0-2-0.c-root.lax01.atlas.cogentco.com > (154.54.27.138) > 8 60 ms 152 ms 84 ms c.root-servers.net (192.33.4.12) > Entry cached for another 60 seconds. 2023-06-18 17:57:17 UTC > --- > > I don't see any ROAs for AS2149's two originated prefixes, though: > https://irrexplorer.nlnog.net/prefix/192.33.4.0/24 so hijacks might > still be easier than they could be. > > Regards > > > -- Niels.