In message <[email protected]>, Andrew Sullivan writes: > On Wed, May 16, 2012 at 08:52:26PM -0400, Joe Abley wrote: > > > > All the possible outcomes I can think of that lie in this direction > > winds up with pockets of broken DNS due to infrastructure that none > > of the current operators can identify, and failures that affect only > > a subset of users so that a fix is not necessarily obvious. > > I agree with Joe. When I worked at a TLD registry company, we had a > very similar case occur when a large ISP in one country was slaving > the cc TLD zone for that country, and we didn't know it.
How can you "slave" a zone off your servers and not know. I can understand if they were ftping the zone and loading it as a master but true slaving should have cause the zone to expire unless there was a loop in the zone transfer graph and we have a technical fix for that which I tried to get adopted up by dnsext. This is all built into the DNS and works if you just use it. You transfer from official sources and when those sources cease to be official you stop them providing the data. > We made some > infrastructure changes, and their slave stopped getting up to date > copies of the zone, but they didn't check their logs. Months later, > we started getting complaints about updates not propagating to the > zone; it was, of course, that that ISP had a months-old copy of the > zone. It took a long time to figure out what the problem was, because > we had no idea that this was going on. This particular incident > sticks in my mind because it affected so many people (one of whom was > some minister's brother or something, which of course made it all much > worse), but I remember more than one such incident happening. > > I think this would happen to the root zone, too, and that seems worse > than just one ccTLD. Encouraging random people to keep local copies > of the root without anyone knowing about it is almost certainly an > excellent way to cause more DNS failures. > > Best, > > A > > -- > Andrew Sullivan > [email protected] > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
