[fjk].gtld-servers.net bogus for .com

[fjk].gtld-servers.net (which are listed as authoritative for .com) are
giving bogus authoritative nxdomain results for all the .com domains I
tried. eg.

; <<>> DiG 2.2 <<>> internic.com @f.gtld-servers.net
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10
;; flags: qr aa rd; Ques: 1, Ans: 0, Auth: 1, Addit: 0
;; QUESTIONS:
;; internic.com, type = A, class = IN

;; AUTHORITY RECORDS:
COM. 86400 SOA A.ROOT-SERVERS.NET. hostmaster.INTERNIC.NET. (
                        1998111000 ; serial
                        1800 ; refresh (30 mins)
                        900 ; retry (15 mins)
                        604800 ; expire (7 days)
                        86400 ) ; minimum (1 day)

;; Total query time: 67 msec
;; FROM: valis.worldgate.com to SERVER: f.gtld-servers.net 207.159.77.18
;; WHEN: Wed Nov 11 11:17:16 1998
;; MSG SIZE sent: 30 rcvd: 107

f.root-servers.net is giving non-authoritative "sorry, I don't do that,
here are the nameservers for .com" responses.

I have sent mail to the InterNIC, but just in case you were wondering why
you are seeing what you may be seeing. Symptoms of this problem are being
told by your resolver that various domains do not exist once in a while.

Actually it's more than just the [fjk] gtld servers that are broken. The
[fjkl].root-servers.net are broken also. This looks like a map somewhere
at the Nic got hosed and then transferred to the root servers.

Mel

Okay, here's a temporary solution. Since it looks like it's
  just .COM that's b0rken, you can make your own nameservers
  authoritative for .COM until this blows over.

  Note that this solution is NOT approved by Network Solutions;
  I didn't ask them first, I'm just trying to keep the Internet
  working for everybody.

  If you don't have a recent copy of the .COM zone file lying
  around for just this type of contingency, you can grab the one
  I downloaded this morning at:

    http://www.cybernothing.org/comzone/

  The original md5 and pgp signatures are there, too, in case
  you want to check it.

  Warning: this is a gigantic zone file, so you're gonna need a
  machine with a hell of a lot of RAM. If anybody has such a
  server and enough bandwidth to share it, let us all know!

Yes.. I'm hearing tons of complaints about this.. and its still broken
at this time, [f jkl] root-servers.net are not correctly responding
correctly and causing a lot of problems on the Internet as a whole.

Many people have sent mail to NetSol about the issue.. but no statments
have come from them (that I have seen).. Anyone have any information?

  -Steve

I spoke with our support rep at NSI about an hour ago, and was told that
he heard someone being yelled at over this(literally,) and it was his
understanding that it will be fixed with the next daily update...

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell (800) 299-1288 v
                  CTO (925) 377-1212 v
                           NameSecure (925) 377-1414 f
Coming to the ISPF-II? The Forum for ISPs by ISPs http://www.ispf.com
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Fixed on the next daily update? So when the AOL problem happened, a special
update was done, but when several hundred (anyone know how many really)
entries are trashed, we all must wait until the next daily update?

Another Public Relations/Customer Service triumph for NSI/InterNIC. </sarcasm>

I suspect more than just the fjk servers are hosed...last night around
midnight I was surfing and had over ten sites disappear between one load
and the next. The domain names ran the gamut from "f" to "u". Given the
time frames, they likely disappeared as the update propagated. Now, either
a whole lot of sites simultaneously had server crashes or....

Spammers should be investigated by Ken Starr!

Dean Robb
PC-EASY computer services
(757) 495-EASY [3279]

I think they would actually do a emergency update for this. A day is along
time to have 3 IMPORTANT nameservers broken :^>

I spoke with our support rep at NSI about an hour ago, and was told that
he heard someone being yelled at over this(literally,) and it was his
understanding that it will be fixed with the next daily update...

  _ __ _____ __ _________
______________ /_______ ___ ____ /______ John Gonzalez/Net.Engineer
__ __ \ __ \ __/_ __ `__ \/ __ /_ ___/ MDC Computers/netMDC!
_ / / / `__/ /_ / / / / / / /_/ / / /__ (505)437-7600/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/ \___/ http://www.netmdc.com
[---------------------------------------------[system info]-----------]
  4:00pm up 31 days, 19:29, 4 users, load average: 0.10, 0.26, 0.23

Exodus has a support representative? Must be nice...

I'm on the phone with NetSol now. According to my clock it's 7:06 PM EST,
so the nameserver updates should be happening now.

That quote was from me. And yes, we have a support representitive. And
yes, it is nice.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell (800) 299-1288 v
                  CTO (925) 377-1212 v
                           NameSecure (925) 377-1414 f
Coming to the ISPF-II? The Forum for ISPs by ISPs http://www.ispf.com
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Just a few clarifications... nothing new, just some explainations of
various things.

>
>Fixed on the next daily update? So when the AOL problem happened, a special
>update was done, but when several hundred (anyone know how many really)
>entries are trashed, we all must wait until the next daily update?

Another Public Relations/Customer Service triumph for NSI/InterNIC. </sarcasm>

I suspect more than just the fjk servers are hosed...last night around
midnight I was surfing and had over ten sites disappear between one load
and the next. The domain names ran the gamut from "f" to "u". Given the
time frames, they likely disappeared as the update propagated. Now, either
a whole lot of sites simultaneously had server crashes or....

[fjk] do _not_ serve domain names starting with [fjk]. All servers serve
all names. Without knowing more, what you experienced could have had any
number of causes.

I don't know when people first were aware of this, and I would hope some
were aware before I complained ~1000PST and NSI should have been aware
right away when it happened, since if they don't have automated checking
of each server that has a very high notification priority they are even
worse than stupid, so I'm somewhat doubtful it started at midnight. But
it is possible. NSI does make it hard for anyone who may notice it to
contact them.

I can't understand, however, why it took over two hours to bring down all
the badly broken servers. Some were corrected within 15 minutes or half
an hour after I complained (and who knows how long after the appropriate
people were first notified). One wasn't.

Fixed on the next daily update? So when the AOL problem happened, a special
update was done, but when several hundred (anyone know how many really)
entries are trashed, we all must wait until the next daily update?

Don't take that too literally.

It isn't entries that were trashed AFAIK, but servers. A number (or all)
servers appear to have had trouble updating their zone file. So far so
good. Simply not being updated won't kill anything. Some lost the zone
(on purpose or due to a bug, I don't know) and were acting mostly like a
lame delgation. No huge problem. Some lost all (or a very large %) of
.com yet were still thinking they were authoritative and returning various
false negatives. I know of three that were like that, and have had
reports of more. Anyone asking one of those servers would be incorrectly
told the domain doesn't exist.

This is a VERY bad failure mode.

What is the impact? Well, if 3/12 were doing this then ~1/4 of the
queries (probably not that evenly distributed, but in that ballpark) would
have got false negatives. Now, that is only 1/4 of all queries to the
root servers. Domains with a large TTL that were in caches wouldn't be as
impacted. Domains with a small TTL (eg. 5 minutes) would be very impacted
because they would expire from caches so quicky.

A lot of email is particularily badly impacted, because not only does the
domain it is being sent to have to resolve, but on many systems the
sender's domain has to resolve.

Any resolver implementations that do not put a short upper bound on
negative caching TTLs would be _VERY_ hard hit by this and could still be
having problems unless they were restarted. I have heard that one of MS's
products is like this, but that is just a vague rumor.

Getting back to your question, "the update being completed" refers to
servers being able to transfer the proper zone files and put them in
place.

Exodus has a support representative? Must be nice...

It has been pointed out that Patrick G. said this, not Steve N. from Exodus.
My fault... I misread who said what...

I'm on the phone with NetSol now. According to my clock it's 7:06 PM EST,
so the nameserver updates should be happening now.

Actually, upon reading Vix's message, I hung up with NetSol, figuring the
problem was probably already close to being fixed. At that point I didn't
feel like being on hold for another half-hour.

[fjk] do _not_ serve domain names starting with [fjk]. All servers serve
all names. Without knowing more, what you experienced could have had any
number of causes.

Ah, thanks for the lesson. This is why I like NANOG even though I'm not a
network guru. I learn more about how the 'Net works all the time from here.

I don't know when people first were aware of this, and I would hope some
were aware before I complained ~1000PST and NSI should have been aware
right away when it happened, since if they don't have automated checking
of each server that has a very high notification priority they are even
worse than stupid, so I'm somewhat doubtful it started at midnight. But
it is possible. NSI does make it hard for anyone who may notice it to
contact them.

That would have been around the right time...I had a few domains that were
dead when I tried them around 11pm EST and a ton of them that died after
midnight Eastern.

false negatives. I know of three that were like that, and have had
reports of more. Anyone asking one of those servers would be incorrectly
told the domain doesn't exist.

That's exactly what I was seeing. One moment they were there, then when
next I tried to get a page, it was gone..."Cannot connect to server".

Thanks again for the instruction, O Wise One!

Spammers should be investigated by Ken Starr!

Dean Robb
PC-EASY computer services
(757) 495-EASY [3279]