[dns-operations] The strange case of fox.com

Rich Goodson rgoodson at gronkulator.com
Fri Mar 4 15:05:12 UTC 2016

On 3/3/16 7:52 PM, Dave Warren wrote:
> On 2016-03-02 18:09, Rich Goodson wrote:
>> In the instance that I brought up, undergoing excommunication of the 
>> zone successfully might have made the DNS better as a whole (making 
>> the world a better place), but it would not have solved my problem.
>> My problem was that users couldn't get to a web site some of the time 
>> to pay their credit card bill or check their balance (more 
>> accurately, my problem was having to listen to the complaining that 
>> ensued).  If I, instead of implementing a workaround, got domain 
>> excommunicated, then instead of my users not being able to get to a 
>> web site some of the time, now they can't get to it ever.
> For varying degrees of "ever": if one of my domains or my customer's 
> domains were removed from the root due to technical issues, I'd 
> address those technical issues and get my domain re-instated. You do 
> realize that this isn't a case of removing the domain forever, just 
> until it's properly configured, correct?
And here I assumed zone excommunication involved removing the delegation 
from the upstream provider, powering off any hosting servers, removing 
their hard drives, putting them through an NSA style hard disk shredder, 
removing the physical machine, selling it on Ebay, then burning the 
datacenter to the ground, covering the site with dirt using bulldozers 
and then salting the earth afterwards.  Silly me.

I apologize if that sounded harsh.  I thought it was funny, but I've 
been traveling and am tired.  What I meant to say is, "Who tests it over 
and over for proper configuration?  Who decides when it's proper?  Why 
wouldn't they instead just threaten a lawsuit demanding that their 
domain be turned back on? For many corporations that's an easier route 
than looking to fix an underlying technical issue. (Not the lawsuit 
itself, just the threat of one.  That's usually sufficient, anyway.)  It 
was already working well enough for them, clearly."

Also, who is to say that I can't have a misconfigured domain if I want 
to?  I have a misconfigured delegation right now that I created for 
educational purposes for a friend of mine who works at a major hosting 
provider.  I created it so that he could demonstrate this very issue 
that we're talking about to customers and people he works with.  If my 
domain was removed with the condition that I "fix" my deliberate 
misconfiguration, I'd be livid.
> Sure, some tiny percentage of domains might pack it up and take up a 
> new hobby, but for any business that wants people to pay their bills, 
> buy their services, view their ads, or otherwise do the things that 
> justify the expense of a having an internet presence, 
> they'll hire someone competent and fix the issue.
It appears that they hired someone competent who fixed it some 18 months 

>> The only benefit to me would have been no longer hearing "it works on 
>> Google's DNS". 
> I think you're either thinking only 17 minutes ahead here; give it at 
> least 30 minutes for someone to get paged, respond, frantically review 
> the fundamentals of DNS delegation and fix things up. Once the 
> underlying problem is resolved, it would work on Google's DNS, yours, 
> mine, and everyone else's.
I hosted DNS at the time for just over a million customers.  Since this 
was a delegation problem, I can guarantee you that we weren't the only 
ones experiencing this issue. Given they had a significant percentage of 
their customer base for whom their stuff was intermittently broken 
already, AND that they didn't respond to emails sent to any whois 
contacts, or root, or hostmaster|postmaster, or calls to multiple of 
their physical locations; I think it's a bit optimistic to think that 
removing their delegation will get them to fix their problem in an 
additional 13 minutes.  Their monitoring at best would probably be 
reporting the state of their name server machine and possibly their 
server process and query their authoritative servers for a particular 
record.  None of that monitoring will tell them anything about their 
delegation, else they would have known about the problem already.

Plus, my job title at the time was not, "Person Assigned To Attempt To 
Make Improvements To The Internet".  My job (or about 15% of my job) was 
to make sure our customers could resolve DNS.  After multiple days spent 
imitating Don Quixote on this issue already, my fake delegation "fixed" 
the problem, at least for my customers.  I had no more time to spend on 
the issue.
> We might still hear "It works on Google's DNS", to which you would 
> reply "Yup, and it works on mine too!"
How cheerful you make me sound.  As you can tell from the above, I'm 
clearly a curmudgeon.


More information about the dns-operations mailing list