root servers followup

matthew2 · February 14, 1997, 2:32am

This problem is definitely occuring on h.root-servers.net at the
present time as documented below (similar to results that I see just
arrived in my mailbox from <jh@yahoo.com>. However, an earlier log
from our support department shows that d.root-servers.net and
possibly e.root-servers.net were also having this problem within
the past 60-90 minutes. (also see below)

; <<>> DiG 2.0 <<>> @g.root-servers.net mail.scruznet.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; Ques: 1, Ans: 0, Auth: 2, Addit: 2
;; QUESTIONS:
;; mail.scruznet.com, type = A, class = IN

;; AUTHORITY RECORDS:
SCRUZNET.com. 172800 NS NS.SCRUZ.NET.
SCRUZNET.com. 172800 NS NS2.SCRUZ.NET.

;; ADDITIONAL RECORDS:
NS.SCRUZ.NET. 172800 A 165.227.1.1
NS2.SCRUZ.NET. 172800 A 165.227.2.10

;; Total query time: 433 msec
;; FROM: ns.scruz.net to SERVER: g.root-servers.net 192.112.36.4
;; WHEN: Thu Feb 13 18:19:47 1997
;; MSG SIZE sent: 35 rcvd: 123

; <<>> DiG 2.0 <<>> @h.root-servers.net mail.scruznet.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
;; flags: qr aa rd; Ques: 1, Ans: 0, Auth: 1, Addit: 0
;; QUESTIONS:
;; mail.scruznet.com, type = A, class = IN

;; AUTHORITY RECORDS:
. 86400 SOA A.ROOT-SERVERS.NET. hostmaster.INTERNIC.NET. (
                        1997021100 ; serial
                        10800 ; refresh (3 hours)
                        900 ; retry (15 mins)
                        604800 ; expire (7 days)
                        86400 ) ; minimum (1 day)

;; Total query time: 157 msec
;; FROM: ns.scruz.net to SERVER: h.root-servers.net 128.63.2.53
;; WHEN: Thu Feb 13 18:19:47 1997
;; MSG SIZE sent: 35 rcvd: 108

Hank_Nussbacher2 · February 14, 1997, 7:10am

Certain individual(s) on the iahc-discuss list have made statements that
they intend to attack the Internet root servers. I have no idea if this
is the result of such an attack or not. Just a FYI.

This problem is definitely occuring on h.root-servers.net at the
present time as documented below (similar to results that I see just
arrived in my mailbox from <jh@yahoo.com>. However, an earlier log
from our support department shows that d.root-servers.net and
possibly e.root-servers.net were also having this problem within
the past 60-90 minutes. (also see below)

; <<>> DiG 2.0 <<>> @g.root-servers.net mail.scruznet.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; Ques: 1, Ans: 0, Auth: 2, Addit: 2
;; QUESTIONS:
;; mail.scruznet.com, type = A, class = IN

;; AUTHORITY RECORDS:
SCRUZNET.com. 172800 NS NS.SCRUZ.NET.
SCRUZNET.com. 172800 NS NS2.SCRUZ.NET.

;; ADDITIONAL RECORDS:
NS.SCRUZ.NET. 172800 A 165.227.1.1
NS2.SCRUZ.NET. 172800 A 165.227.2.10

;; Total query time: 433 msec
;; FROM: ns.scruz.net to SERVER: g.root-servers.net 192.112.36.4
;; WHEN: Thu Feb 13 18:19:47 1997
;; MSG SIZE sent: 35 rcvd: 123

; <<>> DiG 2.0 <<>> @h.root-servers.net mail.scruznet.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
;; flags: qr aa rd; Ques: 1, Ans: 0, Auth: 1, Addit: 0
;; QUESTIONS:
;; mail.scruznet.com, type = A, class = IN

;; AUTHORITY RECORDS:
. 86400 SOA A.ROOT-SERVERS.NET. hostmaster.INTERNIC.NET. (
                    1997021100 ; serial
                      10800 ; refresh (3 hours)
                      900 ; retry (15 mins)
                      604800 ; expire (7 days)
                      86400 ) ; minimum (1 day)

;; Total query time: 157 msec
;; FROM: ns.scruz.net to SERVER: h.root-servers.net 128.63.2.53
;; WHEN: Thu Feb 13 18:19:47 1997
;; MSG SIZE sent: 35 rcvd: 108

--
earlier (sorry, nslookup, not dig)
--
> server d.root-servers.net
Default Server: d.root-servers.net
Served by:
- rs0.internic.net
        198.41.0.5
        ROOT-SERVERS.net
- ns.ripe.net
        193.0.0.193
        ROOT-SERVERS.net
- gw.home.vix.com
        192.5.5.1
        ROOT-SERVERS.net

> cygnus.com
Server: d.root-servers.net
Served by:
- rs0.internic.net
        198.41.0.5
        ROOT-SERVERS.net
- ns.ripe.net
        193.0.0.193
        ROOT-SERVERS.net
- gw.home.vix.com
        192.5.5.1
        ROOT-SERVERS.net

Name: cygnus.com
Served by:
- C.ROOT-SERVERS.NET
        192.33.4.12
        com
- D.ROOT-SERVERS.NET
        128.8.10.90
        com
- E.ROOT-SERVERS.NET
        192.203.230.10
        com
- I.ROOT-SERVERS.NET
        192.36.148.17
        com
- F.ROOT-SERVERS.NET
        192.5.5.241
        com
- G.ROOT-SERVERS.NET
        192.112.36.4
        com
- A.ROOT-SERVERS.NET
        198.41.0.4
        com
- H.ROOT-SERVERS.NET
        128.63.2.53
        com
- B.ROOT-SERVERS.NET
        128.9.0.107
        com

Hank Nussbacher
IAHC member
[the views expressed above belong to the author and do not
necessarily reflect the views of the other IAHC members]

Michael_Dillon1 · February 14, 1997, 9:48am

The first one on the list to publicly issue the threat was Bob Allisat.
This man is a rabble rouser and his public statement did not clearly
indicate that he would do this himself but that he would urge others to
initiate attacks on all the root nameservers. Since he hangs out on a lot
of fringe USENET groups it is entirely possible that he has begun inciting
others to take action. As many of you know, a skilled propogandist can be
more dangerous than a man with a gun.

These are the four actions he is calling for:

      STAGE TWO:
      - Electronic conflict...
      - Disable conventional Name Servers...
      - Flood Internic/IANA/ISOC/NSI/SAIC...
      - Point target Individuals...

I think that root nameserver operators should collect any data that could
be used in detecting the source of these problems.

Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-250-546-3049
http://www.memra.com - E-mail: michael@memra.com