At #ICANN, they currently discuss the rollover of a root KSK. They switch from an #RSA based key to an elliptic curve algorithm. From algorithm 8 to algorithm 13, a common observation in the past 2 or 3 years.
There will be a multi-year (~3 years) transition period in which both algorithms run in parallel.
Anyone want to read upon it, here is the proposal
Exploring some insights of the #DNS root servers, and I discovered this small bump of NOTIMP repsonse codes of a.root-servers.net, operated by #Verisign. I checked other server instances with public statistics, and also k.root-servers.net, operated by #RIPE observed an uptick in REFUSED responses at around that time.
Does anyone have a clue what was going on last year shortly before the Christmas days?
Just noticed this report of June 2025 root server's IPv4 prefix hijack for 8/13 of the root server operators https://root-servers.org/media/news/2025-06-20_route_hijack.pdf
Do not read this as criticism of #ipinfo, but I am surprised to see that the b, i, k, l and m #DNS root servers have the "privacy" flag set, meaning the IPs attempted to "hide" themselves. IPInfo suggests methods such as #VPN services. I doubt that.
Also, all 13 root server IPs are flagged as #anycast. I thought, there are still ~some~ servers not yet anycasted, but Wikipedia confirms otherwise. Well, well, well...
This one is a pretty long read, and it goes into details of observed #NXDOMAIN patterns with a bias towards the #DNS landscape in #China. I did not expect to see so much leakage of non-public TLDs, but I guess that - despite the bias towards Chinese networks- it probably looks similar in other parts of the world.
After reading this pretty long article, I was still somewhat feeling that it should have gone deeper into query flood phenomena which might cause spikes in NXDOMAIN responses.
No matter what, a well-spent 10 minutes on educating yourself on things that are often not illuminated on one of the #Internet core protocols.
Have a nice weekend, everyone!
The Domain Name System (DNS) is an essential protocol in the architecture of today's Internet. It routinely translates domain names into IP addresses and also often handles a multitude of invalid queries. These include requests for non-existent domain names, termed NXDOMAIN. A high volume of such invalid queries can adversely
Amongst all root servers instances in India, seems like F-Root server by @iscdotorg has most locations, in total 15 locations. All major cities are covered.
See https://root-servers.org/ (scroll down and click F) to see locations.
M Root Server live in NIXI Mumbai now - https://m.root-servers.org/. A local site though.
I was poking about the root servers web pages a few days ago and this explains why I couldn't reach Cogent's C root server and why other root servers had a sudden spike in traffic.
Ever wondered why 13 is such an oddly specific number for #DNS #rootservers? Turns out that you could at most cram 13 domain names and their corresponding #IPv4 addresses in a non-truncated #UDP response. As soon as DNS truncates, the resolver falls back to #TCP. To avoid this additional performance impact and stress to the servers, the number is limited to 13.
« Detecting DNS Root Manipulation » by RIPE labs
https://labs.ripe.net/author/qasim-lone/detecting-dns-root-manipulation/
In 2021, reports emerged that hosts in Mexico were unable to reach whatsapp.net. It was determined that middleboxes were to blame, intercepting the queries to the root instance hosted in China and sending a bogus reply. This article investigates the prevalence of middleboxes using RIPE Atlas probes.
Max Resing
sahilister
Greg
Alexandre Dulaunoy