Dear Jaap and colleagues, On 29 December you wrote to the list:
Stephane's message was on the centr security list which archives seem to be sealed (contrary to what I thought). It was refering to the attack on the .tr name servers about which you reported in <https://www.ripe.net/ripe/mail/archives/dns-wg/2015-December/003184.html> that it had impacted RIPE's DNS service. Apparently Stephan wanted to know why RIPE NCC dropped serving the .tr zone. (My guess, since de RIPE NCC dropped out of the root zone as well, it was done in coordination with the tr people).
So I was just curious wat happened on RIPE's end.
In the incident report you reference above, I did not mention the .TR zone explicitly, which apparently led to unnecessary confusion and an undesired atmosphere of secrecy around the incident. I did mention in the same message that, after applying various mitigation measures during the day, we turned to our upstreams to assist us with mitigation in the late afternoon of Monday 14th. In practice this meant we asked for upstream blackholing of the attack traffic, which effectively meant we were no longer serving the .TR zone. While the event was ongoing, we were of course communicating with the .TR staff frequently. On Tuesday morning, 15 December, the .TR staff informed us that they removed the RIPE NCC secondary server from the .TR zone altogether. I hope this clarifies matters sufficiently. If you have more questions please feel free to ask. I should add, however, that we do not intend to share more details about the attack itself, or the mitigation applied, on this list. An observation that we have made during the past months is that the impact of attacks upon our DNS infrastructure is increasing. This seems to be a more general trend that readers on this list are likely to be aware of, but this may not be the case for the community at large. For the RIPE NCC this means that we are investigating the options to increase the capacity and robustness of our DNS services further. Kind regards, Romeo Zwart