[dns-operations] asking the European a-k.cctld.us servers for MX records

Joe Abley jabley at hopcount.ca
Wed Mar 27 19:10:10 UTC 2013


On 2013-03-27, at 14:39, Thomas Mieslinger <miesi at pc-h.de> wrote:

> --snip--
> We have corrected the issue that was blocking email/MX queries to US domain names from Europe.
> 
> Neustar had noticed a MX spike in it's servers in Europe over the weekend, and to stop any negative effects, we placed those servers in mitigation. We have modified the mitigation to block all inbound MX queries from recursive servers with the recursive bit turned off, and all email from Europe to .US domain names will now be delivered correctly.
> --snap--

That seems like a curious mitigation tactic.

I don't think it's a reasonable characterisation to link the availability of European-based authoritative servers to the ability for Europeans to send mail to Americans. So long as *some* authoritative servers for .us were responding, and so long as the "mitigation" didn't involve returning false answers, mail would still be delivered; just the recursive MX lookup would take longer.

I would worry, though, that timing out on MX queries specifically would cause use of those European nameservers to be suppressed for other RRTypes, too. That would amount to a wholesale shifting of query traffic from European .us nameservers to those elsewhere without the "mitigation".

The apparent availability and non-availability of those particular servers from the point of view of caches would make capacity planning difficult. The difficulty in diagnosing problems at end-sites is already evident.

There are a lot of moving parts there, and a lot of unpredictable behaviours. I wouldn't have taken that approach to defend against MX spikes.


Joe




More information about the dns-operations mailing list