On 01/24/10 18:53, Mark Andrews wrote:
In message<202705b1001241834l5b1911bat97ee2130f632f002@mail.gmail.com>, Jorge Amodio writes:
Good point, tomorrow/today we'll start seeing what gets broken and hopefully why.
Regards. Jorge
I don't expect to see much until the last root server (J) switches over. DNS implemententations are remarkably robust at routing around percieved "damage".
Week of 2010-05-03: J starts to serve DURZ
There's some evidence within the traffic to the authoritative servers for the now-signed berkeley.edu zone that answers from the authoritative servers are not being received by certain queriers. These queriers, who are setting DO (and of course EDNS0) in their queries, are retrying the same queries until they reach the one "sacrificial lamb" server that is set to give out minimal answers and limit EDNS0 responses to 512 bytes (thereby frequently triggering failover to TCP for those minimal answers that still exceed 512 bytes). It will be interesting to see how traffic patterns to the various root servers evolve as more servers get the DURZ. Also, I got my first apparently DNSSEC-related "your server is attacking me" notice. It was little more than a log snippet that indicated that a UCB authoritative server was perpetrating a "big bomb" attack on a system behind this firewall. "Big bomb" is a notification from Netgear firewalls and CPE routers. Not sure how much activity the abuse contacts for the various rootops netblocks get, but you'll probably see more. michael