[dns-operations] NSATC DNS oddities last week (affecting hotmail, msn etc)

bert hubert bert.hubert at netherlabs.nl
Fri Aug 3 13:05:22 UTC 2007


On Fri, Aug 03, 2007 at 08:52:47AM -0400, Matt Larson wrote:
> > 2) It has been suggested that PowerDNS invalidate an NS record from its
> > cache if it is not responsive, and refetch from higher up.
> 
> I can already hear my colleague, Piet Barber, screaming,
> "Nooooooooooo!!!" :-)

As you may remember I've had the honour of having Piet call me on all phone
numbers he could find of me in 'whois' when we configured the 'I.AM.' domain
in a way that triggered bad behaviour in recursive servers :-)

> A Reasonably Popular Implementation did this and we saw truly amazing
> traffic storms to the .com/.net servers when a popular zone would go
> offline (and hundreds of thousands of iterative resolvers would
> requery the .com servers to check the delegation).
> 
> We documented this behavior and gave reasoning why it's not the best
> choice in RFC 4697, section 2.1.

Ok, consider me convinced this is not a good idea. I do remain interested in
knowing what in fact happened. The nsatc.net domain does power 'Windows
Update', so it merits attention.

BIND reportedly quickly recovered from the observed oddities, and I hear it
is root-server friendly.

So any stories regarding what happened with nsatc.net are more than welcome.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services



More information about the dns-operations mailing list