[Dnssec-deployment] Something rotten in the state of itar.iana.org

Chris Thompson cet1 at cam.ac.uk
Mon Aug 23 11:08:29 EDT 2010


ITAR.IANA.ORG is a CNAME with target ITAR.VIP.ICANN.ORG.

The bad news: type AAAA requests over UDP to the servers for the
VIP.ICANN.ORG zone time out. This doesn't seem to be quite the uaual
brain-damaged load-balancer bug, as types other than AAAA seem to work
OK, and type AAAA requests over TCP give a satisfactory "nodata" response.
(But of course, without a TC response to the UDP request, iterative
resolvers aren't going to try that.) Brain-damaged *firewall*, maybe? 

The much worse news: two IPv4 addresses are (sometimes?) returned for
ITAR.VIP.ICANN.ORG: 208.77.188.120 and 192.0.46.85. The first has the
current ITAR (serial 45), the latter a very old one (serial 33).

I know that Michael Graff has had problems with entries in dlv.isc.org
imported from the ITAR mysteriously reverting to a previous state -
this seems to be a possible explanation for that.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.


More information about the Dnssec-deployment mailing list