[dns-operations] The (very) uneven distribution of DNS root servers on the Internet

Mark Andrews marka at isc.org
Thu May 17 23:34:28 UTC 2012 

In message <20120517132133.GA28307 at mail.yitter.info>, Andrew Sullivan writes:
> On Wed, May 16, 2012 at 08:52:26PM -0400, Joe Abley wrote:
> > 
> > All the possible outcomes I can think of that lie in this direction
> > winds up with pockets of broken DNS due to infrastructure that none
> > of the current operators can identify, and failures that affect only
> > a subset of users so that a fix is not necessarily obvious.
>  
> I agree with Joe.  When I worked at a TLD registry company, we had a
> very similar case occur when a large ISP in one country was slaving
> the cc TLD zone for that country, and we didn't know it.

How can you "slave" a zone off your servers and not know.

I can understand if they were ftping the zone and loading it as a
master but true slaving should have cause the zone to expire unless
there was a loop in the zone transfer graph and we have a technical
fix for that which I tried to get adopted up by dnsext.

This is all built into the DNS and works if you just use it.  You
transfer from official sources and when those sources cease to be
official you stop them providing the data.

> We made some
> infrastructure changes, and their slave stopped getting up to date
> copies of the zone, but they didn't check their logs.  Months later,
> we started getting complaints about updates not propagating to the
> zone; it was, of course, that that ISP had a months-old copy of the
> zone.  It took a long time to figure out what the problem was, because
> we had no idea that this was going on.  This particular incident
> sticks in my mind because it affected so many people (one of whom was
> some minister's brother or something, which of course made it all much
> worse), but I remember more than one such incident happening.    
> 
> I think this would happen to the root zone, too, and that seems worse
> than just one ccTLD.  Encouraging random people to keep local copies
> of the root without anyone knowing about it is almost certainly an
> excellent way to cause more DNS failures.
> 
> Best,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list