
The DNS Server That Lagged Behind
• 3 min read
Around the end of October and beginning of November 2024, twenty six African TLDs had a technical problem - one of their authoritative name servers served stale data. This is a tale of monitoring, anycast, and debugging.
I like the IP address 2610:a1:1072::1:42 since the name is an IDN. But, alas, no DNSSEC.
"They may also receive more spam and phishing e-mails, since modern e-mail security protocols rely on DNSSEC as well." I would like to see email servers use SPF, DKIM and DMARC records only if they have been validated with DNSSEC but I strongly doubt it is the case today.
Developping something new (no installed base) and mission-critical in C, today, is a bit strange. Why not using a safer language?
Nice and useful article. For OpenDNSSEC, the important parameter is named Jitter and is enabled by default. Check that you have something like "<Policy name="default">...<Signatures>... <Jitter>PT12H</Jitter>" It would be nice to document here how it is done for other signing programs.
Great survey, thanks for this work. Indeed, the variations in EDE are funny. For bogus.bortzmeyer.fr, Unbound (and 1.1.1.1) say "9 (DNSKEY Missing)", 9.9.9.9 say "10 (RRSIGs Missing)" and Knot-Resolver say "12 (NSEC Missing)"
"The IP to CO2 Intensity API allows you to query an IP address" The second link actually goes to a service that takes a host name, not an IP address.
A good thing about the IETF is that it is open and discussions are public so here is the link to the discussion inside the IETF about this article: https://mailarchive.ietf.org/arch/msg/ietf/M2vDMHuj063n5jvcUydcr0oRWy0/
I was at the same side meeting and had a different impression. My article in French: https://www.bortzmeyer.org/filtrage-vie-privee.html
Interesting and timely since, in the last two weeks, at least five domains of important public services in France have been down. At least four of them had poor DNS hosting (only two unicast authoritative name servers, sometimes in the same physical location). My report (in French): https://www.bortzmeyer.org/service-public-impots-dns.html
You do not mention the use of RIPE Atlas probes. Is the user tag "iwantbcp38compliancetesting" still useful/used?
Showing 61 comment(s)