Let me chime in with some of what I've been telling reporters all day.
I did notice that Paul was quoted as stating essentially that F was not impacted. From my own experience and numerous folks who monitor DNS performance this seems true. However, I did notice that several of the servers which are operated by VeriSign were not responding to at least a large, 50% or greater, fraction of test queries. Even so, VeriSign was good enough to chime in that their root servers were unaffected.
Did I mis-perceive this, or is it another bold-faced lie from VeriSign?
I had congestion-free access to A and J throughout yesterday, so from my point of view VeriSign's servers were just fine. (A and J are not in this building nor even in this state or timezone, so it wasn't a locality issue.) DDoS attacks often end up hurting intermediate links in the path more than the destination of the flow. Determining whether a root name server has "reachability" requires dozens, or hundreds, of diverse monitors. Yesterday's attack was only visible to people who monitor root servers or whose backbones feed root servers -- whereas the average person who just wanted to use DNS to get their work done didn't seem to notice it at all. -- Paul Vixie