[Dnssec-deployment] Something rotten in the state of itar.iana.org
kim.davies at icann.org
Mon Aug 23 11:52:53 EDT 2010
On 23/08/2010, at 8:08 AM, Chris Thompson wrote:
> ITAR.IANA.ORG is a CNAME with target ITAR.VIP.ICANN.ORG.
> The bad news: type AAAA requests over UDP to the servers for the
> VIP.ICANN.ORG zone time out. This doesn't seem to be quite the uaual
> brain-damaged load-balancer bug, as types other than AAAA seem to work
> OK, and type AAAA requests over TCP give a satisfactory "nodata" response.
> (But of course, without a TC response to the UDP request, iterative
> resolvers aren't going to try that.) Brain-damaged *firewall*, maybe?
We first observed this problem in the last few weeks, and our network staff have been working on it. The version with the out-of-date data is a luke-warm standby which should never normally be "online", but for some reason is occasionally being hit by about 5 unique remote IP addresses. The workflow daemon only operates on the active version, which is responsible for generating the export files, which is why you see old snapshots is behind if you hit the standby, even though the data is in sync if you browse the web listing.
I've passed on this additional data which I hope will help our engineers nail the cause.
More information about the Dnssec-deployment