On Sun, Jun 23, 2013 at 07:49:14PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Sat, 22 Jun 2013 20:45:44 +0200, Andre Tomt said:
Seems the entire .biz tld is failing DNSSEC validation now. All of my DNSSEC validating resolvers are tossing all domains in .biz. The non-signed domains too of course because trust of the tld itself cannot be established.
So which event caused more disruption? 50K .com's in a failed DDoS mitigation, or every single .biz lookup by something that actually does dnssec?
I think two different things happened here: 1) biz breakage reinforces the fact that validation can cause disruption. if it were .com and not fixed for a few hours, every major ISP would likely turn off validation for a year or more. 2) com issue shows some major "brands" they need to be more demanding from their providers. some really interesting data here, i ran a few domains through some dns server lists i have lying around, and saw stuff like this: 8.23.128.129/53/www.usps.com^IN^CNAME^www.usps.com.edgekey.net|www.usps.com.edgekey.net^IN^CNAME^usps.georedirector.usps.com.akadns.net|usps.georedirector.usps.com.akadns.net^IN^CNAME^e7154.dscb.akamaiedge.net|e7154.dscb.akamaiedge.net^IN^A^23.35.198.219//usps.com^IN^NS^ns1621.ztomy.com|usps.com^IN^NS^ns2621.ztomy.com so, you see www.usps.com points at edgekey, but the authority for usps.com was still held as ztomy for some time. (I don't have it printing the TTLs, but could add that...) This excludes DNS servers that are *very* broken, such as will replace existing authority/delegation w/ stuff returned in an unrelated query (as seen above) or other unsolicited data. (i get many servers that tell me stuff I *really* didn't ask for) (i queried for openresolverproject and got back something about betterbricks.com) 190.51.146.2/21528/betterbricks.com^IN^MX^30 betterbricks.com.s10b1.psmtp.com|betterbricks.com^IN^MX^40 betterbricks.com.s10b2.psmtp.com|betterbricks.com^IN^MX^10 betterbricks.com.s10a1.psmtp.com|betterbricks.com^IN^MX^20 betterbricks.com.s10a2.psmtp.com// or this that seems to delegate root to some nipr.mil host. 214.4.226.2/53//con2.nipr.mil^IN^A^199.252.162.234|con1.nipr.mil^IN^A^207.132.116.25/.^IN^NS^con2.nipr.mil|.^IN^NS^con1.nipr.mil - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.