Re: VeriSign's rapid DNS updates in .com/.net
On Fri, 09 Jul 2004, Robert Boyle wrote:
Does this also apply to domains with other registrars?
I'm not sure what you mean by "other registrars". VeriSign sold the Network Solutions registrar in November 2003 (although it retains a 15% ownership). The rapid updates apply to all changes from all registrars.
Does this apply to authoritative name server changes as well?
Do you mean, does it apply to glue records (i.e., A records for name servers) in the .com/.net zones? Yes, it does: a change to a name server's IP address will be reflected just as fast as a change to a domain's (er, zone's) NS records.
Also, does this apply to customers who have had their domains suspended due to non-payment?
I'm not sure what you mean here, but I think you're referring to something that's ultimately a registrar issue. A domain can be placed on hold status in the registry and its NS records will not appear in the .com/.net zones. There are several different hold statuses and they all prevent a domain's NS records from being published. It's possible a registrar could put a domain on hold for non-payment. Any changes to its name servers while it's on hold would be propagated quickly under this new system, as would changes to its hold status, so if it it was removed from hold, whatever changes that occurred while it was on hold would be visible quickly. One other issue: a few people have sent me private email asking if we're planning on changing the 48-hour TTL for NS records and A records in .com/.net. At this point we're not and the reason has a lot to do with a little-known DNS behavior called credibility. It's described in RFC 2181 ("Clarifications to the DNS Specification"), Section 5.4.1, although the concept pre-dates that RFC and has been in the BIND iterative resolver, for example, since version 4.9 (if memory serves). In a nutshell, DNS data has different levels of credibility or trustworthiness depending on where it's learned from. That's relevant here because the version of a zone's NS records from the zone's authoritative servers is more trustworthy than the version obtained from the zone's parent name servers. For example, the foo.com NS records received from a foo.com authoritative server are believed over the foo.com NS records received from a .com name server. Most "positive" responses include the zone's NS records along with the specific data requested (such as an A record). So in practice, here's what happens: - An iterative resolver chasing down, for example, A records for www.foo.com queries a .com name server and caches the foo.com NS records (with a 48-hour TTL) it receives. - The resolver then queries one of the foo.com name servers for the www.foo.com A records. - In the response the resolver receives the www.foo.com A records, along with foo.com's own version of the foo.com NS records--and this is the important part--which have the TTL set by the foo.com zone owner. - According to the credibility scale, the just-received foo.com NS records are more credible than the cached foo.com NS records from .com, so the just-received records displace the cached ones, new TTL and all. In other words, for all the iterative resolvers out there that have this credibility mechanism, the 48-hour TTL on data in .com/.net isn't particularly relevant. Matt
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all. -Joe Blanchard
joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
It's really too soon to tell, but there is certainly something out there aimed right at the root servers. I saw a post from someone on full disclosure claiming that there was a 0-day exploit against bind (although the version wasn't named). There was huge activity for about four hours, but it leveled off about 20-30 minutes ago. I'm still analyzing earlier ethereal dumps, and logs, looking for the injection, or other evidence. Some of this would probably explain any anomalies you see at akamai. -- ...because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when it's more like flying an airplane. Chris Brenton (at 08:22 -0400 19 Apr 2004 on NANOG)
On Jul 10, 2004, at 12:20 AM, joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
Is it just foxnews or other sites too? There's a thread on inet-access regarding foxnews and windows 2003 nameservers.
Keynote data shows a small spike in DNS errors for the KB40 index from 8am to 8:30am EDT this morning. Normally we see less than 1 error per 4000 datapoints per half hour. During this period, it was 22 errors. There was also a jump in "connection timed out" from less than one to 18 during this period. Looking at the deaggregated data, it appears that the spike was due to brief problems on many of the measured sites, rather than any one particular site. It does not appear to be an Akamai-specific DNS issue at all. It does not appear to be especially significant (22/4000 < .1%) either. I'll do some more digging... --Lloyd On Sat, 10 Jul 2004, John Payne wrote:
Date: Sat, 10 Jul 2004 00:55:47 -0400 From: John Payne <john@sackheads.org> To: joe <joej@rocknyou.com> Cc: nanog@merit.edu Subject: Re: DNS with Akamai
On Jul 10, 2004, at 12:20 AM, joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
Is it just foxnews or other sites too? There's a thread on inet-access regarding foxnews and windows 2003 nameservers.
Yup. Across the board from 8am to 8:15am EDT: http://web504.keynote.com/mykeynote/Post/KB40data_071004_081218.asp (Scroll down about 25% to see the error-by-time chart) Note that the time resolution of this chart is 15 minutes. Not an Akamai issue. --Lloyd On Sat, 10 Jul 2004, Lloyd Taylor wrote:
Date: Sat, 10 Jul 2004 08:01:22 -0700 (PDT) From: Lloyd Taylor <ltaylor@keynote.com> To: John Payne <john@sackheads.org> Cc: joe <joej@rocknyou.com>, nanog@merit.edu Subject: Re: DNS with Akamai
Keynote data shows a small spike in DNS errors for the KB40 index from 8am to 8:30am EDT this morning. Normally we see less than 1 error per 4000 datapoints per half hour. During this period, it was 22 errors. There was also a jump in "connection timed out" from less than one to 18 during this period.
Looking at the deaggregated data, it appears that the spike was due to brief problems on many of the measured sites, rather than any one particular site.
It does not appear to be an Akamai-specific DNS issue at all. It does not appear to be especially significant (22/4000 < .1%) either.
I'll do some more digging...
--Lloyd
On Sat, 10 Jul 2004, John Payne wrote:
Date: Sat, 10 Jul 2004 00:55:47 -0400 From: John Payne <john@sackheads.org> To: joe <joej@rocknyou.com> Cc: nanog@merit.edu Subject: Re: DNS with Akamai
On Jul 10, 2004, at 12:20 AM, joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
Is it just foxnews or other sites too? There's a thread on inet-access regarding foxnews and windows 2003 nameservers.
John, Thanks for the info/pointer to inet-access. As far as I can tell, only www.foxnews.com, but there may be others. Its the only one that was reported as an issue. Oddly, when I do a dig against it the response is as follows: (FYI this is from a linux system) [root@rocknyou log]# dig www.foxnews.com ; <<>> DiG 9.2.1 <<>> www.foxnews.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38652 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.foxnews.com. IN A ;; ANSWER SECTION: www.foxnews.com. 3578 IN CNAME www.foxnews.com.edgesuite.net. www.foxnews.com.edgesuite.net. 21579 IN CNAME a20.g.akamai.net. a20.g.akamai.net. 20 IN A 66.77.165.235 <===note the TTL of 20 secs a20.g.akamai.net. 20 IN A 66.77.165.227 <=== and the num of Cnames ;; AUTHORITY SECTION: g.akamai.net. 1779 IN NS n8g.akamai.net. g.akamai.net. 1779 IN NS n0g.akamai.net. g.akamai.net. 1779 IN NS n1g.akamai.net. g.akamai.net. 1779 IN NS n2g.akamai.net. g.akamai.net. 1779 IN NS n3g.akamai.net. g.akamai.net. 1779 IN NS n4g.akamai.net. g.akamai.net. 1779 IN NS n5g.akamai.net. g.akamai.net. 1779 IN NS n6g.akamai.net. g.akamai.net. 1779 IN NS n7g.akamai.net. ;; Query time: 130 msec ;; SERVER: 192.168.1.2#53(192.168.1.2) ;; WHEN: Sat Jul 10 12:56:52 2004 ;; MSG SIZE rcvd: 297 Now, less than 4 minutes later I get this response: [root@rocknyou log]# dig www.foxnews.com ; <<>> DiG 9.2.1 <<>> www.foxnews.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44268 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 9, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.foxnews.com. IN A ;; ANSWER SECTION: www.foxnews.com. 3361 IN CNAME www.foxnews.com.edgesuite.net. www.foxnews.com.edgesuite.net. 21362 IN CNAME a20.g.akamai.net. a20.g.akamai.net. 20 IN A 66.77.165.225 <== whoa, more CNames and they a20.g.akamai.net. 20 IN A 66.77.165.227 <== change every few minutes. a20.g.akamai.net. 20 IN A 66.77.165.235 a20.g.akamai.net. 20 IN A 66.77.165.218 a20.g.akamai.net. 20 IN A 66.77.165.219 ;; AUTHORITY SECTION: g.akamai.net. 1562 IN NS n2g.akamai.net. g.akamai.net. 1562 IN NS n3g.akamai.net. g.akamai.net. 1562 IN NS n4g.akamai.net. g.akamai.net. 1562 IN NS n5g.akamai.net. g.akamai.net. 1562 IN NS n6g.akamai.net. g.akamai.net. 1562 IN NS n7g.akamai.net. g.akamai.net. 1562 IN NS n8g.akamai.net. g.akamai.net. 1562 IN NS n0g.akamai.net. g.akamai.net. 1562 IN NS n1g.akamai.net. ;; Query time: 17 msec ;; SERVER: 192.168.1.2#53(192.168.1.2) ;; WHEN: Sat Jul 10 13:00:29 2004 ;; MSG SIZE rcvd: 345 While all this is going on, of course the MickeySoft DNSs do get messed up, but since I'm seeing it from various places and not just on my Biz IPOPs I was wondering if this might be fall out from the previous attack on Akamai. Just odd I guess, and 1 more reason to push Nix as a DNS versus the M$ boxes. Cheers -Joe Blanchard ----- Original Message ----- From: "John Payne" <john@sackheads.org> To: "joe" <joej@rocknyou.com> Cc: <nanog@merit.edu> Sent: Saturday, July 10, 2004 12:55 AM Subject: Re: DNS with Akamai
On Jul 10, 2004, at 12:20 AM, joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
Is it just foxnews or other sites too? There's a thread on inet-access regarding foxnews and windows 2003 nameservers.
On Sat, 10 Jul 2004, joe wrote:
Anyone noticing issues with Akamai and their DNS stuff? Just wondering because I'm seeing strange responses regarding www.foxnews.com, in that one of the Cnames a20.g.akamai.com is changing every 20 seconds, and sometimes no response at all.
It's saturday, and I can't resist... Even Akamai can't make them fair and "balanced". Har har. Sorry, Charles
-Joe Blanchard
participants (6)
-
Charles Sprickman
-
Etaoin Shrdlu
-
joe
-
John Payne
-
Lloyd Taylor
-
Matt Larson