[Dnssec-deployment] Something rotten in the state of itar.iana.org
cet1 at cam.ac.uk
Mon Aug 23 11:08:29 EDT 2010
ITAR.IANA.ORG is a CNAME with target ITAR.VIP.ICANN.ORG.
The bad news: type AAAA requests over UDP to the servers for the
VIP.ICANN.ORG zone time out. This doesn't seem to be quite the uaual
brain-damaged load-balancer bug, as types other than AAAA seem to work
OK, and type AAAA requests over TCP give a satisfactory "nodata" response.
(But of course, without a TC response to the UDP request, iterative
resolvers aren't going to try that.) Brain-damaged *firewall*, maybe?
The much worse news: two IPv4 addresses are (sometimes?) returned for
ITAR.VIP.ICANN.ORG: 220.127.116.11 and 18.104.22.168. The first has the
current ITAR (serial 45), the latter a very old one (serial 33).
I know that Michael Graff has had problems with entries in dlv.isc.org
imported from the ITAR mysteriously reverting to a previous state -
this seems to be a possible explanation for that.
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment