Ok, but isn't this "one of those things" taken up better with google and yahoo sales people? Operationally, they have a large impact and they responded well. If you only knew how many DDOS attacks your providers (all encompassed) see and soak up, you'd be surprised. YMMV -M Regards, -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 <http://www.verisign.com/> -----Original Message----- From: owner-nanog@merit.edu <owner-nanog@merit.edu> To: Patrick W.Gilmore <patrick@ianai.net>; nanog@merit.edu <nanog@merit.edu> CC: Patrick W.Gilmore <patrick@ianai.net> Sent: Wed Jun 16 16:51:34 2004 Subject: Re: Akamai DNS Issue? ----- Original Message ----- From: "Patrick W.Gilmore" <patrick@ianai.net> To: <nanog@merit.edu> Cc: "Patrick W.Gilmore" <patrick@ianai.net> Sent: Wednesday, June 16, 2004 5:32 PM Subject: Re: Akamai DNS Issue?
On Jun 16, 2004, at 1:26 PM, Pete Schroebel wrote:
With the Akamai issue we were seeing only partial resolution and since we pay Google a big wack of dough each month it is important for there network to resolve. Additionally, we have the same contracts with Overture/Yahoo/SBC so they are equally important. We even went as far as asking Paul Vixie if we were routed to the blackhole. It is the same issue, just a different flavor.
I really hate getting into flame wars, but I am interested in data about this last event.
You say "it is the same issue, just a different flavor". I am wondering if you meant the problem Tuesday morning is the same problem you had weeks ago, or if the problem you had weeks ago is the same as the problem you are having with Overture / Yahoo / SBC? It is unclear to me exactly what you meant, and "Details are Important". :)
If you honestly believe you had the same problem weeks ago that everyone else experienced Tuesday morning, please give us some more information. I do not believe Akamai has ever had the type of problem experienced yesterday.
-- TTFN, patrick
We have been experiencing this problem weeks ago, this is virtually under the same spectrum of problems that Akamai via AKADNS.NET with their corporate DNS servers that carry traffic for google, yahoo, msn, etc. When we were asking if Akamai blacklisted/blackholed ip addresses ( we meant at router-level or DNS-level ) as we were experiencing lack of resolution to yahoo, and google. We noted that google adwords were using a different dns than akamai and could be seen. The problem continued intermittently throughout the week, yet nobody put the questions we were asking along with the issues taking place from Akamai within dispite our pleas, and requests to resolve this issue. We performed traceroutes, pings, bgp summarys making sure we weren't being blocked before we started pointing any fingers and asking any stupid questions yet we still were ignored and could of helped Akamai prevent such occurances from happening. It is us who is paying google $186,000 a quarter and Yahoo $146,000 a quarter in advertising, you'd think that someone would look our way and see we're having troubles rather than walking on while we were being mugged. Rather than being treated as mere babble we could of provided our logs as we were working within over 30 looking glasses trying to see what was happening and where the problem were occuring. - Pete
So, were google/yahoo able to get verisign to push a change to the gtld registry to update their NS's, or was it just done during a scheduled update? How much clout does one need to have the com zone updated/pushed/reloaded? ;) On Jun 16, 2004, at 10:28 PM, Hannigan, Martin wrote:
Ok, but isn't this "one of those things" taken up better with google and yahoo sales people?
Operationally, they have a large impact and they responded well.
If you only knew how many DDOS attacks your providers (all encompassed) see and soak up, you'd be surprised.
YMMV
-M
Regards,
-- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 <http://www.verisign.com/>
-----Original Message----- From: owner-nanog@merit.edu <owner-nanog@merit.edu> To: Patrick W.Gilmore <patrick@ianai.net>; nanog@merit.edu <nanog@merit.edu> CC: Patrick W.Gilmore <patrick@ianai.net> Sent: Wed Jun 16 16:51:34 2004 Subject: Re: Akamai DNS Issue?
----- Original Message ----- From: "Patrick W.Gilmore" <patrick@ianai.net> To: <nanog@merit.edu> Cc: "Patrick W.Gilmore" <patrick@ianai.net> Sent: Wednesday, June 16, 2004 5:32 PM Subject: Re: Akamai DNS Issue?
On Jun 16, 2004, at 1:26 PM, Pete Schroebel wrote:
With the Akamai issue we were seeing only partial resolution and since we pay Google a big wack of dough each month it is important for there network to resolve. Additionally, we have the same contracts with Overture/Yahoo/SBC so they are equally important. We even went as far as asking Paul Vixie if we were routed to the blackhole. It is the same issue, just a different flavor.
I really hate getting into flame wars, but I am interested in data about this last event.
You say "it is the same issue, just a different flavor". I am wondering if you meant the problem Tuesday morning is the same problem you had weeks ago, or if the problem you had weeks ago is the same as the problem you are having with Overture / Yahoo / SBC? It is unclear to me exactly what you meant, and "Details are Important". :)
If you honestly believe you had the same problem weeks ago that everyone else experienced Tuesday morning, please give us some more information. I do not believe Akamai has ever had the type of problem experienced yesterday.
-- TTFN, patrick
We have been experiencing this problem weeks ago, this is virtually under the same spectrum of problems that Akamai via AKADNS.NET with their corporate DNS servers that carry traffic for google, yahoo, msn, etc. When we were asking if Akamai blacklisted/blackholed ip addresses ( we meant at router-level or DNS-level ) as we were experiencing lack of resolution to yahoo, and google. We noted that google adwords were using a different dns than akamai and could be seen. The problem continued intermittently throughout the week, yet nobody put the questions we were asking along with the issues taking place from Akamai within dispite our pleas, and requests to resolve this issue. We performed traceroutes, pings, bgp summarys making sure we weren't being blocked before we started pointing any fingers and asking any stupid questions yet we still were ignored and could of helped Akamai prevent such occurances from happening. It is us who is paying google $186,000 a quarter and Yahoo $146,000 a quarter in advertising, you'd think that someone would look our way and see we're having troubles rather than walking on while we were being mugged. Rather than being treated as mere babble we could of provided our logs as we were working within over 30 looking glasses trying to see what was happening and where the problem were occuring.
- Pete
On Jun 17, 2004, at 11:22 AM, Matt Levine wrote:
So, were google/yahoo able to get verisign to push a change to the gtld registry to update their NS's, or was it just done during a scheduled update?
What makes you think an update at the GTLDs was required? Try digging for google.com, then dig for www.google.com. See which points at whom. -- TTFN, patrick
Ya...didn't look at the setup before I posted, oh well.. I'll still pose the question as a theoretical one... say it was ultradns rather than akadns (..or any substantially large website in traffic having an authoritive DNS attack), would verisign be willing to push changes for somebody 'big' ? should they? Matt On Jun 17, 2004, at 10:28 AM, Patrick W Gilmore wrote:
On Jun 17, 2004, at 11:22 AM, Matt Levine wrote:
So, were google/yahoo able to get verisign to push a change to the gtld registry to update their NS's, or was it just done during a scheduled update?
What makes you think an update at the GTLDs was required?
Try digging for google.com, then dig for www.google.com. See which points at whom.
-- TTFN, patrick
On Jun 17, 2004, at 11:37 AM, Matt Levine wrote:
Ya...didn't look at the setup before I posted, oh well..
I'll still pose the question as a theoretical one... say it was ultradns rather than akadns (..or any substantially large website in traffic having an authoritive DNS attack), would verisign be willing to push changes for somebody 'big' ? should they?
The only time I remember that the .com zone was pushed out of window for a customer was one time AOL had a problem with AOL.com. I think they let it expire by accident, not certain. Check the NANOG archives. Interesting that AOL can force a push but "ianai.net" cannot. Is it because they have more users? Would citibank.com be able to do the same thing? How about xxxPR0Nxxx.com? I bet some of them have lots and lots of users too.... :) Other than that, I remember the .com zone being pushed mid-day when there was an error during the over-night push. -- TTFN, patrick
On Thu, Jun 17, 2004 at 11:49:20AM -0400, Patrick W Gilmore wrote:
On Jun 17, 2004, at 11:37 AM, Matt Levine wrote:
I'll still pose the question as a theoretical one... say it was ultradns rather than akadns (..or any substantially large website in traffic having an authoritive DNS attack), would verisign be willing to push changes for somebody 'big' ? should they?
The only time I remember that the .com zone was pushed out of window for a customer was one time AOL had a problem with AOL.com. I think they let it expire by accident, not certain. Check the NANOG archives.
Other than that, I remember the .com zone being pushed mid-day when there was an error during the over-night push.
patrick
think stability. --bill
--On Thursday, June 17, 2004 16:07 +0000 bmanning@vacation.karoshi.com wrote:
think stability.
I think recent events prove pretty well that Verisign GRS no longer gives a crap about stability. Have we forgotten *.COM so quickly?
think stability.
I think recent events prove pretty well that Verisign GRS no longer gives a crap about stability. Have we forgotten *.COM so quickly?
oh please. i was an publically critical of *.COM and *.NET, but that's a policy problem, not an operational problem. verisign has a very good record for name server uptime, both at the TLD and root level. if you're going to complain about their wildcard policies, please be specific. (note that verisign has amended their complaint against icann (since the court dismissed the first one) and i'm now named as a co-conspirator. if you reply to this message, there's a good chance of your e-mail appearing in court filings at some point.) -- Paul Vixie
On 17 Jun 2004 18:00:02 +0000 Paul Vixie <vixie@vix.com> wrote:
(note that verisign has amended their complaint against icann (since the court dismissed the first one) and i'm now named as a co-conspirator. if you reply to this message, there's a good chance of your e-mail appearing in court filings at some point.)
Cool. :-) -- D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Thu, 2004-06-17 at 20:00, Paul Vixie wrote:
think stability.
I think recent events prove pretty well that Verisign GRS no longer gives a crap about stability. Have we forgotten *.COM so quickly?
oh please. i was an publically critical of *.COM and *.NET, but that's a policy problem, not an operational problem. verisign has a very good record for name server uptime, both at the TLD and root level. if you're going to complain about their wildcard policies, please be specific.
Enough has been said about that, though a concrete list of the cons have never been published (pointers anyone?). The biggest con is simply that .com becomes a normal domain and not a zone which only contains NS records making every domain just a subzone (technically that is it indeed) of the .com. If Verisign wants to own every domain in the .com zone they should register every one of them seperatly and pay the registration fees to one of the other registrars. It also breaks normal operational usage and the year old assumptions that people can make of it.
(note that verisign has amended their complaint against icann (since the court dismissed the first one) and i'm now named as a co-conspirator. if you reply to this message, there's a good chance of your e-mail appearing in court filings at some point.)
For that matter I think (and hope) that most people on NANOG will be delighted to stand at your side against this Verisign madness. Greets, Jeroen
participants (8)
-
bmanning@vacation.karoshi.com -
D'Arcy J.M. Cain -
Hannigan, Martin -
Jeroen Massar -
Matt Levine -
Michael Loftis -
Patrick W Gilmore -
Paul Vixie