.mil domain root only hosted by one server??
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil. 86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
On Wed, Aug 21, 2002 at 03:46:22PM -0400, Vinny Abello wrote:
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server.
[jabley@peppermill]% for n in a b c d e f g h i j k l m; do for> dig @${n}.root-servers.net ns mil. | egrep -qi '^mil.*NS' && \ for cmdand> echo "${n}.root-servers.net provides a delegation for MIL." for> done a.root-servers.net provides a delegation for MIL. b.root-servers.net provides a delegation for MIL. c.root-servers.net provides a delegation for MIL. d.root-servers.net provides a delegation for MIL. e.root-servers.net provides a delegation for MIL. f.root-servers.net provides a delegation for MIL. g.root-servers.net provides a delegation for MIL. h.root-servers.net provides a delegation for MIL. i.root-servers.net provides a delegation for MIL. j.root-servers.net provides a delegation for MIL. k.root-servers.net provides a delegation for MIL. l.root-servers.net provides a delegation for MIL. m.root-servers.net provides a delegation for MIL. [jabley@peppermill]% dig ns mil. ; <<>> DiG 8.3 <<>> ns mil. ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 5 ;; QUERY SECTION: ;; mil, type = NS, class = IN ;; ANSWER SECTION: mil. 23h59m24s IN NS PAC2.NIPR.mil. mil. 23h59m24s IN NS A.ROOT-SERVERS.NET. mil. 23h59m24s IN NS B.ROOT-SERVERS.NET. mil. 23h59m24s IN NS E.ROOT-SERVERS.NET. mil. 23h59m24s IN NS G.ROOT-SERVERS.NET. mil. 23h59m24s IN NS H.ROOT-SERVERS.NET. mil. 23h59m24s IN NS CON1.NIPR.mil. mil. 23h59m24s IN NS CON2.NIPR.mil. mil. 23h59m24s IN NS EUR1.NIPR.mil. mil. 23h59m24s IN NS EUR2.NIPR.mil. mil. 23h59m24s IN NS PAC1.NIPR.mil. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 6d23h59m20s IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6d23h59m20s IN A 128.9.0.107 E.ROOT-SERVERS.NET. 6d23h59m21s IN A 192.203.230.10 G.ROOT-SERVERS.NET. 6d23h59m22s IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6d23h59m22s IN A 128.63.2.53 ;; Total query time: 93 msec ;; FROM: peppermill.automagic.org to SERVER: default -- 204.152.184.68 ;; WHEN: Wed Aug 21 12:56:09 2002 ;; MSG SIZE sent: 21 rcvd: 316 [jabley@peppermill]%
I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all.
All thirteen root servers contain delegations for MIL, and there are eleven servers which will provide an authoritative response to a query for SOA (of which five are also root servers). Joe
On Wed, 21 Aug 2002 15:46:22 EDT, Vinny Abello <vinny@tellurian.com> said:
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than
The fact that you only see one doesn't mean there's only one. And note that the .MIL domain perhaps has a vested interest in *NOT* having a fully redundant view of the world accessible from outside. Sure, it's one point of failure - but if you're battening down the hatches because of an attack, it's also a one-stop place to cut yourself off.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Wed, Aug 21, 2002 at 03:46:22PM -0400, Vinny Abello wrote:
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more.
These are the results I got when I queried A.ROOT-SERVERS.NET:
; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mil. IN A
;; AUTHORITY SECTION: mil. 86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400
Ummmm. The SOA MNAME field is always a single server. bastet[~]$ dig +short mil ns @g.root-servers.net PAC1.NIPR.mil. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. CON2.NIPR.mil. EUR2.NIPR.mil. E.ROOT-SERVERS.NET. PAC2.NIPR.mil. CON1.NIPR.mil. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. EUR1.NIPR.mil. bastet[~]$ -Pete
Ooops... My apologies (before I get slammed). I forgot the query type of NS in my dig. ; <<>> DiG 9.2.1 <<>> @a.root-servers.net ns mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUESTION SECTION: ;mil. IN NS ;; ANSWER SECTION: mil. 86400 IN NS E.ROOT-SERVERS.NET. mil. 86400 IN NS PAC2.NIPR.mil. mil. 86400 IN NS CON1.NIPR.mil. mil. 86400 IN NS B.ROOT-SERVERS.NET. mil. 86400 IN NS A.ROOT-SERVERS.NET. mil. 86400 IN NS EUR1.NIPR.mil. mil. 86400 IN NS PAC1.NIPR.mil. mil. 86400 IN NS H.ROOT-SERVERS.NET. mil. 86400 IN NS G.ROOT-SERVERS.NET. mil. 86400 IN NS CON2.NIPR.mil. mil. 86400 IN NS EUR2.NIPR.mil. ;; ADDITIONAL SECTION: E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234 PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 ;; Query time: 500 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 16:07:56 2002 ;; MSG SIZE rcvd: 412 That's better. :) Go back to your regularly scheduled threads. At 03:04 PM 8/21/2002 -0500, you wrote:
On Wed, Aug 21, 2002 at 03:46:22PM -0400, Vinny Abello wrote:
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more
than
enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more.
These are the results I got when I queried A.ROOT-SERVERS.NET:
; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mil. IN A
;; AUTHORITY SECTION: mil. 86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400
Ummmm. The SOA MNAME field is always a single server.
bastet[~]$ dig +short mil ns @g.root-servers.net PAC1.NIPR.mil. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. CON2.NIPR.mil. EUR2.NIPR.mil. E.ROOT-SERVERS.NET. PAC2.NIPR.mil. CON1.NIPR.mil. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. EUR1.NIPR.mil. bastet[~]$
-Pete
Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
% dig +norec @a.root-servers.net. mil. ns ; <<>> DiG 9.3.0s20020722 <<>> +norec @a.root-servers.net. mil. ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17626 ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUESTION SECTION: ;mil. IN NS ;; ANSWER SECTION: mil. 86400 IN NS PAC1.NIPR.mil. mil. 86400 IN NS H.ROOT-SERVERS.NET. mil. 86400 IN NS G.ROOT-SERVERS.NET. mil. 86400 IN NS CON2.NIPR.mil. mil. 86400 IN NS EUR2.NIPR.mil. mil. 86400 IN NS E.ROOT-SERVERS.NET. mil. 86400 IN NS PAC2.NIPR.mil. mil. 86400 IN NS CON1.NIPR.mil. mil. 86400 IN NS B.ROOT-SERVERS.NET. mil. 86400 IN NS A.ROOT-SERVERS.NET. mil. 86400 IN NS EUR1.NIPR.mil. ;; ADDITIONAL SECTION: PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234 ;; Query time: 104 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net.) ;; WHEN: Wed Aug 21 13:15:28 2002 ;; MSG SIZE rcvd: 412 % doc -p -w mil Doc-2.2.3: doc -p -w mil Doc-2.2.3: Starting test of mil. parent is . Doc-2.2.3: Test date - Wed Aug 21 13:19:12 PDT 2002 Summary: No errors or warnings issued for mil. Done testing mil. Wed Aug 21 13:19:21 PDT 2002
OK. People can stop correcting me now. :) I did catch the mistake immediately after I sent the email. Now something REALLY useful in an email client would be an unsend feature... I'm joking of course. I have to say that before I get slammed with the technical reasons why that wouldn't work for mail on the Internet which I'm already well aware. ;) At 01:24 PM 8/21/2002 -0700, you wrote:
% dig +norec @a.root-servers.net. mil. ns
; <<>> DiG 9.3.0s20020722 <<>> +norec @a.root-servers.net. mil. ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17626 ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11
;; QUESTION SECTION: ;mil. IN NS
;; ANSWER SECTION: mil. 86400 IN NS PAC1.NIPR.mil. mil. 86400 IN NS H.ROOT-SERVERS.NET. mil. 86400 IN NS G.ROOT-SERVERS.NET. mil. 86400 IN NS CON2.NIPR.mil. mil. 86400 IN NS EUR2.NIPR.mil. mil. 86400 IN NS E.ROOT-SERVERS.NET. mil. 86400 IN NS PAC2.NIPR.mil. mil. 86400 IN NS CON1.NIPR.mil. mil. 86400 IN NS B.ROOT-SERVERS.NET. mil. 86400 IN NS A.ROOT-SERVERS.NET. mil. 86400 IN NS EUR1.NIPR.mil.
;; ADDITIONAL SECTION: PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234
;; Query time: 104 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net.) ;; WHEN: Wed Aug 21 13:15:28 2002 ;; MSG SIZE rcvd: 412
% doc -p -w mil Doc-2.2.3: doc -p -w mil Doc-2.2.3: Starting test of mil. parent is . Doc-2.2.3: Test date - Wed Aug 21 13:19:12 PDT 2002 Summary: No errors or warnings issued for mil. Done testing mil. Wed Aug 21 13:19:21 PDT 2002
Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
On Wed, 21 Aug 2002, Vinny Abello wrote:
OK. People can stop correcting me now. :) I did catch the mistake immediately after I sent the email. Now something REALLY useful in an email client would be an unsend feature... I'm joking of course. I have to say that before I get slammed with the technical reasons why that wouldn't work for mail on the Internet which I'm already well aware. ;)
I guess that if mail sent to the nanog list wouldnt take 5-60 minutes to get delivered to all people on the list, people would sooner see that someone else has actually answered the email in question, and wont answer themselves. I remember this being discussed earlier, is there any perticular reason why this hasnt been fixed? If nanog-l is supposed to be a list for operational purposes, doesnt that require speedy delivery in a lot of cases? -- Mikael Abrahamsson email: swmike@swm.pp.se
At 12:09 AM +0200 2002/08/22, Mikael Abrahamsson wrote:
I guess that if mail sent to the nanog list wouldnt take 5-60 minutes to get delivered to all people on the list, people would sooner see that someone else has actually answered the email in question, and wont answer themselves.
Show me the headers that demonstrate these delays. On the message I am responding to, I see an end-to-end delay of just a few minutes, and that amount of time could easily be accounted for by your clock being slightly off from mine.
I remember this being discussed earlier, is there any perticular reason why this hasnt been fixed? If nanog-l is supposed to be a list for operational purposes, doesnt that require speedy delivery in a lot of cases?
For more details on the issues involved, read the following: Author: Rob Kolstad Title: Tuning Sendmail for Large Mailing Lists Pages: 195 Publisher: USENIX Proceedings: Eleventh Systems Administration Conference (LISA '97) Date: October 26-31, 1997 Location: San Diego, California Institution: Berkeley Software Design, Inc. Author: Strata Rose Chalup Author: Christine Hogan Author: Greg Kulosa Author: Bryan McDonald Author: Bryan Stansell Title: Drinking from the Fire(walls) Hose: Another Approach to Very Large Mailing Lists Pages: 317 Publisher: USENIX Proceedings: Twelfth Systems Administration Conference (LISA '98) Date: December 6-11, 1998 Location: Boston, Massachusetts Institution: Global Networking and Computing, Inc. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Once upon a time, Brad Knowles <brad.knowles@skynet.be> said:
Show me the headers that demonstrate these delays. On the message I am responding to, I see an end-to-end delay of just a few minutes, and that amount of time could easily be accounted for by your clock being slightly off from mine.
Well, on the thread in question, my response took 15 minutes to get back to me (well, 15:06 to be precise). That is by far the largest RTT for a list that I've posted to lately (not counting lists with servers down, etc.). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
At 12:09 AM 8/22/2002, Chris Adams wrote:
Once upon a time, Brad Knowles <brad.knowles@skynet.be> said:
Show me the headers that demonstrate these delays. On the message I am responding to, I see an end-to-end delay of just a few minutes, and that amount of time could easily be accounted for by your clock being slightly off from mine.
Well, on the thread in question, my response took 15 minutes to get back to me (well, 15:06 to be precise). That is by far the largest RTT for a list that I've posted to lately (not counting lists with servers down, etc.).
Headers show it took 50 seconds for my last post to make it here.
On Wed, 21 Aug 2002, Chris Adams wrote:
Well, on the thread in question, my response took 15 minutes to get back to me (well, 15:06 to be precise). That is by far the largest RTT for a list that I've posted to lately (not counting lists with servers down, etc.).
Here are two examples. I have seen email with 20+ minutes delay even on the last hop to me, though in the first example it was only 4-5 minutes. In the first example most of the delay is within merit, on the last one the majority of the delay is from trapdoor to my box. Return-Path: <owner-nanog@merit.edu> Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by uplift.swm.pp.se (8.11.6/8.9.3) with ESMTP id g7LLDkM25219 for <swmike@swm.pp.se>; Wed, 21 Aug 2002 23:13:46 +0200 Received: by trapdoor.merit.edu (Postfix) id 1EDD29138D; Wed, 21 Aug 2002 17:10:18 -0400 (EDT) Delivered-To: nanog-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id 3A048913BB; Wed, 21 Aug 2002 17:09:25 -0400 (EDT) Delivered-To: nanog@trapdoor.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 5D91191313 for <nanog@trapdoor.merit.edu>; Wed, 21 Aug 2002 16:50:00 -0400 (EDT) Received: by segue.merit.edu (Postfix) id 3D8E65DDAF; Wed, 21 Aug 2002 16:50:00 -0400 (EDT) Delivered-To: nanog@nanog.org Received: from mx0.inoc.net (mx0.inoc.net [64.246.130.30]) by segue.merit.edu (Postfix) with ESMTP id 120745DD9F for <nanog@nanog.org>; Wed, 21 Aug 2002 16:50:00 -0400 (EDT) Received: from nimbus (unverified [10.0.0.111]) by mx0.inoc.net (Vircom SMTPRS 5.3.232) with ESMTP id <B0004784738@mx0.inoc.net>; Wed, 21 Aug 2002 16:49:59 -0400 Another example: Return-Path: <owner-nanog@merit.edu> Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by uplift.swm.pp.se (8.11.6/8.9.3) with ESMTP id g7LL0AM24539 for <swmike@swm.pp.se>; Wed, 21 Aug 2002 23:00:11 +0200 Received: by trapdoor.merit.edu (Postfix) id 1440191379; Wed, 21 Aug 2002 16:37:29 -0400 (EDT) Delivered-To: nanog-outgoing@trapdoor.merit.edu Received: by trapdoor.merit.edu (Postfix, from userid 56) id 6EB0991384; Wed, 21 Aug 2002 16:32:55 -0400 (EDT) Delivered-To: nanog@trapdoor.merit.edu Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id CC01891378 for <nanog@trapdoor.merit.edu>; Wed, 21 Aug 2002 16:31:04 -0400 (EDT) Received: by segue.merit.edu (Postfix) id AB8455DDAF; Wed, 21 Aug 2002 16:31:04 -0400 (EDT) Delivered-To: nanog@nanog.org Received: from lerlaptop.iadfw.net (lerlaptop.iadfw.net [206.66.13.21]) by segue.merit.edu (Postfix) with ESMTP id 1D19A5DD9F for <nanog@nanog.org>; Wed, 21 Aug 2002 16:31:04 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by lerlaptop.iadfw.net (8.12.5/8.12.5) with ESMTP id g7LKV0dQ003881; Wed, 21 Aug 2002 15:31:00 -0500 (CDT) (envelope-from ler@lerctr.org) -- Mikael Abrahamsson email: swmike@swm.pp.se
At 7:19 AM +0200 2002/08/22, Mikael Abrahamsson wrote:
Here are two examples. I have seen email with 20+ minutes delay even on the last hop to me, though in the first example it was only 4-5 minutes. In the first example most of the delay is within merit, on the last one the majority of the delay is from trapdoor to my box.
But we don't know what the *cause* is of the delay between Merit & your box. That might be caused by network problems between the two points, your box temporarily being unavailable, or whatever. We just don't have enough information to make a determination as to whose fault this problem is. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Thu, 22 Aug 2002, Brad Knowles wrote:
Here are two examples. I have seen email with 20+ minutes delay even on the last hop to me, though in the first example it was only 4-5 minutes. In the first example most of the delay is within merit, on the last one the majority of the delay is from trapdoor to my box.
But we don't know what the *cause* is of the delay between Merit & your box. That might be caused by network problems between the two points, your box temporarily being unavailable, or whatever.
The cause is overload. There is a definate relation between amount of mail going thru the list handling system and the delay. When there are a lot of email being posted the delay is longer. I also notice that you ignored the 20 minute delay within the mailinglist delivery system: Received: by trapdoor.merit.edu (Postfix) id 1EDD29138D; Wed, 21 Aug 2002 17:10:18 -0400 (EDT) <cut> Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 5D91191313 for <nanog@trapdoor.merit.edu>; Wed, 21 Aug 2002 16:50:00 -0400
We just don't have enough information to make a determination as to whose fault this problem is.
Well, I am convinced that the problem lies in the way the list is set up or the software chosen. I checked approx 50 nanog-l email and almost no email is delivered to me within 5 minutes on this list, when there are 3-5 messages being posted in quick succession the delivery time quickly goes up to 10-15+ minutes. All the replies to the .mil email took 10+ minutes to deliver, most of them 20 minutes, that's why there were so many replies because people just did not see each others replies. All the answers to the original post were done within a 30 minute window (the first one 13 minutes after the original post) so there are quite a few people seeing long delivery times here. I am on mailing lists with many hundreds of people at other places and normal delivery time there is sub-minute. I see no technical reason today why an important list like nanog-l should reside on a mailing list platform where 10+ minute delivery time is reached in 20+ % of the cases and reached immediately when there is any load or moderate usage, and sub-5-minute delivery is reached in less than 20% of the cases. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Fri, Aug 23, 2002 at 07:21:47AM +0200, Mikael Abrahamsson wrote:
Well, I am convinced that the problem lies in the way the list is set up or the software chosen. I checked approx 50 nanog-l email and almost no email is delivered to me within 5 minutes on this list, when there are 3-5 messages being posted in quick succession the delivery time quickly goes up to 10-15+ minutes.
Are the contents of the nanog list so incredibly important that we must get delivery within 5 minutes or less? If it takes longer than 5 minutes to propagate, do you get your post free? Oh wait, the list is already free...hmm. If you want near-instantaneous mail delivery, you can have it -- for a fee. As in all things, you get what you pay for. Personally, I am quite happy with the list as is -- the new list setup is a vast improvement over what things were just a few months ago. I'm not about to complain over a few minutes. How many of us check our email every few minutes anyway? Perhaps the delay will encourage people to wait, and consider their post before jumping on a thread -- that seems to be the real culprit. --msa
On Thu, Aug 22, 2002 at 10:38:05PM -0700, Majdi S. Abbas wrote:
Are the contents of the nanog list so incredibly important that we must get delivery within 5 minutes or less? If it takes longer than 5 minutes to propagate, do you get your post free?
I've seen it be better, and I've also seen it be a lot worse. But if speeding up the mail delivery time can stop the endless supply of useless replies to things which have already been addressed, I'd suggest it's worth it.
Oh wait, the list is already free...hmm. If you want near-instantaneous mail delivery, you can have it -- for a fee. As in all things, you get what you pay for.
And that $300 minimum * 500 people = $150k * 3 = $750k/yr charged at meetings, that doesn't count? -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
At 8:50 AM -0400 2002/08/23, Richard A Steenbergen wrote:
I've seen it be better, and I've also seen it be a lot worse. But if speeding up the mail delivery time can stop the endless supply of useless replies to things which have already been addressed, I'd suggest it's worth it.
See <http://www.usenix.org/publications/library/proceedings/lisa98/full_papers/chalup/chalup_html/chalup.html>. Not everyone agrees that instantaneous mail delivery will solve all problems. It might help choke off replies coming back from people who get slow mail delivery, but it's certainly not going to stop people who are slow to *check* their mail, and respond before reading all messages in the thread. Moreover, it would be likely to encourage chat-like flaming.
And that $300 minimum * 500 people = $150k * 3 = $750k/yr charged at meetings, that doesn't count?
How many of the people on this list actually go to the meetings? How many actually pay the fees? How many people who go to the meetings and pay the fees *don't* watch this list? Maybe we should have separate lists, with one just for the people who actually pay the fees? Then they can discuss things as much as they want amongst themselves, and not have to worry about all these freebie hangers-on? Seriously, there is no charge to join the list, and if you want to change that fact, I suspect you're going to drive away most of the people. Some of the people you drive away might not be of particular importance to you, but I can't imagine that you would want to drive away everybody who doesn't pay the $300 fee. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
-----Original Message----- From: Mikael Abrahamsson
I am on mailing lists with many hundreds of people at other places and normal delivery time there is sub-minute. I see no technical reason today why an important list like nanog-l should reside on a mailing list platform where 10+ minute delivery time is reached in 20+ % of the cases and reached immediately when there is any load or moderate usage, and sub-5-minute delivery is reached in less than 20% of the cases.
my $.02... IMHO, I know of no out-of-the-box MTA that defaults to handle mailinglist loads. I run a mailinglist with ~750 members and ~25 posts per day. This server is a 300Mhz Cobalt RaQ3i w/ 256Mb of memory on a 256Kbs pipe (also running Apache w/ a fairly busy website: flagspot.net). Email turns around in the <5 minute time frame, and usually a heck of a lot quicker. Attached is a graph from yesterday showing the number of running Sendmail processes (green), and the number of emails in mailq (blue). Notice how there are very few emails that make it into the mailq in time to be polled by MRTG, most of these involve delivery issues with the remote mailserver (delays,timeouts,etc.). The trick to speedy turnaround is in the MTA configuration. This is chiefly achieved by using multiple queues, as well as severely reducing the timeouts such that email being sent to unreachable/overloaded mailhosts are quickly moved to the bottom of the delivery stack. -Jim P.
At 2:01 AM -0400 2002/08/23, Jim Popovitch wrote:
IMHO, I know of no out-of-the-box MTA that defaults to handle mailinglist loads.
I've been specializing in e-mail system administration for about ten years, and doing large systems & performance tuning of e-mail systems for about six. I can tell you from personal experience that Postfix is better at handling them out-of-the-box than any other I know of.
The trick to speedy turnaround is in the MTA configuration.
Indeed. Hence my references to the two main papers published so far on this topic, one by Rob Kolstand and one by Strata Chalup.
This is chiefly achieved by using multiple queues, as well as severely reducing the timeouts such that email being sent to unreachable/overloaded mailhosts are quickly moved to the bottom of the delivery stack.
These are some of the standard techniques, yes. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 2:45 PM +0200 2002/08/23, Brad Knowles wrote:
Indeed. Hence my references to the two main papers published so far on this topic, one by Rob Kolstand and one by Strata Chalup.
s/Kolstand/Kolstad/ Sigh.... -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
-----Original Message----- From: Brad Knowles
I've been specializing in e-mail system administration for about ten years, and doing large systems & performance tuning of e-mail systems for about six. I can tell you from personal experience that Postfix is better at handling them out-of-the-box than any other I know of.
Interesting... mail.merit.edu seems to be running Postfix. Did they dumb it down? :) -Jim P.
At 9:17 AM -0400 2002/08/23, Jim Popovitch wrote:
Interesting... mail.merit.edu seems to be running Postfix.
Indeed, that was part of my point. They've already made a pretty good choice for an MTA to handle mail for the list.
Did they dumb it down? :)
I doubt it. They've just got a big list, and they may not have tuned the installation quite as much as they could have. Or, the software and hardware may be as tuned as they can get, and they're just out of capacity. In any event, the point I've been trying to make (repeatedly) is that, so far, all we have is a relatively small sample of data, and we do not (yet) have enough information to be making any valid conclusions. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Fri, Aug 23, 2002 at 06:11:44PM +0200, Brad Knowles wrote:
At 9:17 AM -0400 2002/08/23, Jim Popovitch wrote:
Interesting... mail.merit.edu seems to be running Postfix.
Indeed, that was part of my point. They've already made a pretty good choice for an MTA to handle mail for the list.
Did they dumb it down? :)
I doubt it. They've just got a big list, and they may not have tuned the installation quite as much as they could have.
As of about a year ago, the major problems were: The subscriber list is *HUGE*. It is relatively high volume. Even running postfix, they need more per-queue tuning than the mailing list administrator can do amongst her 100's of other jobs (Hi Sue!). For the most part, things work pretty well.
Brad Knowles, <brad.knowles@skynet.be>
-- Jeff Haas NextHop Technologies
On Fri, 23 Aug 2002 02:01:38 -0400 Jim Popovitch <jimpop@rocketship.com> wrote:
IMHO, I know of no out-of-the-box MTA that defaults to handle mailinglist loads.
!?!?!?!?
Attached is a graph from yesterday showing the number of running Sendmail processes (green), and the number of emails in mailq (blue).
umm, sendmail had a lot of problems 6-7 years ago, but supposedly has improved. i wouldn't know, i switched to exim back around 1996, and guess what -- in 1996, exim handled mailing list loads well out of the box. i'm talking about 2000-3000 subscriber lists and 25-35 email messages a day. i'm told postfix and qmail do good jobs with mailing lists as well. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
At 11:09 PM -0500 2002/08/21, Chris Adams wrote:
Well, on the thread in question, my response took 15 minutes to get back to me (well, 15:06 to be precise). That is by far the largest RTT for a list that I've posted to lately (not counting lists with servers down, etc.).
See my previous message on this thread. Without knowing more about how their network is run and what their current message delivery statistics are, all I'm seeing are a few complaints from a few people that they're seeing deliveries sometimes take 15-20 minutes. This could very easily fit within an extremely reasonable delivery standard of 95% of all e-mail being delivered within five minutes, and 99% of all e-mail being delivered within one hour. I'm still not seeing a problem here. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
In short: you asked the wrong question. Once upon a time, Vinny Abello <vinny@tellurian.com> said:
These are the results I got when I queried A.ROOT-SERVERS.NET:
; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mil. IN A
You asked for A records. Since a.root-servers.net does not have any A records, and since it isn't a recursive server, it just gave you the SOA for mil. If you ask for NS records (like "dig @a.root-servers.net mil. ns"), you'll see a different picture. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
the .mil domain has an "master" source, just like .com or <your tld here> it has a list of authoritative servers, just like .com or <your tld here> You are reading your response incorrectly. your dig query ask for the default, which is an "A" record. .MIL has no "A" rr at the apex. The authority for .MIL, according to a.root-servers.net, is g.root-servers.net. the NSlist for mil is: $ dig mil. ns ; <<>> DiG 8.3 <<>> mil. ns ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUERY SECTION: ;; mil, type = NS, class = IN ;; ANSWER SECTION: mil. 2D IN NS CON1.NIPR.mil. mil. 2D IN NS CON2.NIPR.mil. mil. 2D IN NS EUR1.NIPR.mil. mil. 2D IN NS EUR2.NIPR.mil. mil. 2D IN NS PAC1.NIPR.mil. mil. 2D IN NS PAC2.NIPR.mil. mil. 2D IN NS A.ROOT-SERVERS.NET. mil. 2D IN NS H.ROOT-SERVERS.NET. mil. 2D IN NS G.ROOT-SERVERS.NET. mil. 2D IN NS B.ROOT-SERVERS.NET. mil. 2D IN NS E.ROOT-SERVERS.NET. ----- all over the world. Some inside the military, some out.
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more.
These are the results I got when I queried A.ROOT-SERVERS.NET:
; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mil. IN A
;; AUTHORITY SECTION: mil. 86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400
;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90
I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;)
Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Perhaps the military has more interest in controlling access than in making sure John Q. Public is able to reach their sites? There's also little commercial interest in making sure they're available. I'm willing to bet the important stuff doesn't rely on DNS anyway. ;) Just my 2¢ Best regards, _________________________ Alan Rowland USAF, Ret -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Vinny Abello Sent: Wednesday, August 21, 2002 12:46 PM To: nanog@trapdoor.merit.edu Subject: .mil domain root only hosted by one server?? I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; <<>> DiG 9.2.1 <<>> @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil. 86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
participants (16)
-
Al Rowland -
bmanning@karoshi.com -
Brad Knowles -
Chris Adams -
Dave Stewart -
Jeffrey Haas -
Jim Popovitch -
Joe Abley -
Majdi S. Abbas -
Mikael Abrahamsson -
Pete Ehlke -
Randy Bush -
Richard A Steenbergen -
Richard Welty -
Valdis.Kletnieks@vt.edu -
Vinny Abello