[dns-operations] asking the European a-k.cctld.us servers for MX records

Thomas Mieslinger miesi at pc-h.de
Sat Mar 30 20:04:12 UTC 2013

Hi Joe,

 > I don't think it's a reasonable characterisation to link the
 > availability of European-based authoritative servers to the ability
 > for Europeans to send mail to Americans. So long as *some*
 > authoritative servers for .us were responding, and so long as the
 > "mitigation" didn't involve returning false answers, mail would still
 > be delivered; just the recursive MX lookup would take longer.

At least in my and Peter van Dijks tests no European v4 connected 
cctld.us Server did respond to MX queries with a referral. So the 66k 
dot us domains my employer hosts where effectively offline.


On 03/27/2013 08:10 PM, Joe Abley wrote:
> On 2013-03-27, at 14:39, Thomas Mieslinger <miesi at pc-h.de> wrote:
>> --snip--
>> We have corrected the issue that was blocking email/MX queries to US domain names from Europe.
>> Neustar had noticed a MX spike in it's servers in Europe over the weekend, and to stop any negative effects, we placed those servers in mitigation. We have modified the mitigation to block all inbound MX queries from recursive servers with the recursive bit turned off, and all email from Europe to .US domain names will now be delivered correctly.
>> --snap--
> That seems like a curious mitigation tactic.
> I would worry, though, that timing out on MX queries specifically would cause use of those European nameservers to be suppressed for other RRTypes, too. That would amount to a wholesale shifting of query traffic from European .us nameservers to those elsewhere without the "mitigation".
> The apparent availability and non-availability of those particular servers from the point of view of caches would make capacity planning difficult. The difficulty in diagnosing problems at end-sites is already evident.
> There are a lot of moving parts there, and a lot of unpredictable behaviours. I wouldn't have taken that approach to defend against MX spikes.
> Joe

More information about the dns-operations mailing list