[dns-operations] Planned IN-ADDR.ARPA Nameserver Change

Mark Andrews marka at isc.org
Fri Feb 18 23:49:01 UTC 2011 

In message <A50D0A1F-6AA5-400A-94BB-789CF9058053 at icann.org>, Joe Abley writes:
> 
> On 2011-02-18, at 08:49, Joe Abley wrote:
> 
> > On 2011-02-18, at 08:40, Chris Thompson wrote:
> > 
> >> But today we seem to have reverted to the [12-out-of-13].ROOT-SERVERS.NET
> >> nameservers and an unsigned version of the zone :-(
> > 
> > We are aware, and are investigating.
> 
> The previous setup for IN-ADDR.ARPA was as follows:
> 
>   VeriSign -> *.ROOT-SERVERS.NET
>      ^
>      |
>    ARIN
> 
> The transitional setup for IN-ADDR.ARPA is as follows. This configuration was
>  brought live on Wednesday this week:
> 
>   ICANN -> *.IN-ADDR-SERVERS.ARPA
>     |
>     v
>  VeriSign -> *.ROOT-SERVERS.NET
> 
> The zone served by *.IN-ADDR-SERVERS.ARPA was correct at all times. However, 
> it appears that due to an operational hiccup, the following configuration exi
> sted for a window long enough for a new zone to be received from ARIN and be 
> published to the root servers:
> 
>   ICANN -> *.IN-ADDR-SERVERS.ARPA
>     |
>     v
>  VeriSign -> *.ROOT-SERVERS.NET
>     ^
>     |
>    ARIN

Which shouldn't have been a problem if arin was being fed by icann
which is how it should have been done to safely move to a new primary
master.  You always make the old master a slave for the new master.
Doing so prevents these sort of issues.  Unfortunately many people
forget this step or don't think it is necessary.

> The data path from ARIN has now been closed at VeriSign, and all nameservers 
> (including *.ROOT-SERVERS.NET) are now serving the correct zone, serial 20110
> 21902.
> 
> Zone serial 2011021804 (the one sourced from ARIN) contained identical delega
> tions and glue to zone serial 2011021902, so there was no impact on the opera
> tion of the v4 reverse DNS. The ARIN-sourced zone was not signed, however, as
>  was observed by Chris on this list, and so early-adopters with manually-conf
> igured trust anchors may have seen validation failures.
> 
> ICANN will publish an incident report next week which includes more (and auth
> oritative) detail.
> 
> In a couple of weeks (per the published timeline) the root servers will drop 
> the IN-ADDR.ARPA zone altogether, leaving the data path like this:
> 
>   ICANN -> *.IN-ADDR-SERVERS.ARPA
> 
> Once we reach that configuration, assuming no harmful effects have been obser
> ved, a DS Record for the IN-ADDR.ARPA zone will be inserted in ARPA.
> 
> Regards,
> 
> 
> Joe
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list