requesting hard data sources on ramifications of verisign wildcard
William Allen Simpson
wsimpson at greendragon.com
Fri Oct 17 05:13:37 UTC 2003
k claffy wrote:
>...
> please send any hard data reflecting observed ramifications on
> security and stability of Internet infrastructure to
>
> secsac-comment at icann.org
>
> no hard data will be refused service
Here's a glimpse of some data for a small ISP (bcc'd to secsac).
This mail server was clogging with spam that couldn't be rejected with
bad .com and .net incoming addresses, and with bad .com and .net
outgoing undeliverable addresses. The server failed (stopped responding
to new SMTP requests, and/or crashed) again and again:
Sun, Sep 21, 2003 11:52 PM mail.WaterValley.Net 2 minutes, 35 seconds
Mon, Sep 22, 2003 00:01 AM mail.WaterValley.Net 4 minutes, 7 seconds
Mon, Sep 22, 2003 00:12 AM mail.WaterValley.Net 5 minutes, 48 seconds
Mon, Sep 22, 2003 01:18 AM mail.WaterValley.Net 1 minute, 1 second
Mon, Sep 22, 2003 04:07 AM mail.WaterValley.Net 5 minutes, 16 seconds
Mon, Sep 22, 2003 04:23 AM mail.WaterValley.Net 3 minutes, 3 seconds
Mon, Sep 22, 2003 04:33 AM mail.WaterValley.Net 1 minute, 19 seconds
Mon, Sep 22, 2003 04:37 AM mail.WaterValley.Net 9 minutes, 4 seconds
Mon, Sep 22, 2003 06:47 AM mail.WaterValley.Net 22 minutes, 58 seconds
Mon, Sep 22, 2003 07:15 AM mail.WaterValley.Net 6 minutes, 59 seconds
...
Mon, Sep 22, 2003 09:53 PM mail.WaterValley.Net 3 minutes, 0 seconds
Mon, Sep 22, 2003 10:01 PM mail.WaterValley.Net 5 minutes, 0 seconds
Mon, Sep 22, 2003 10:13 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 10:21 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 10:31 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 10:39 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 10:49 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 10:59 PM mail.WaterValley.Net 3 minutes, 1 second
Mon, Sep 22, 2003 11:07 PM mail.WaterValley.Net 3 minutes, 2 seconds
Mon, Sep 22, 2003 11:17 PM mail.WaterValley.Net 1 minute, 3 seconds
Then, A MIRACLE OCCURRED! The problems STOPPED!
That miracle was BIND 9.2.3rc3, for which we are eternally grateful.
As I posted to NANOG on Tue, 23 Sep 2003 02:35:48 -0400:
William Allen Simpson wrote:
# Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
# linux powercomputing machine tonight. It worked. And the mail queues
# began clearing out. ...
The next downtime (for restoring saved mail queues) was:
Wed, Sep 24, 2003 06:39 PM mail.WaterValley.Net 21 minutes, 0 seconds
Note the dramatic difference -- from failures several times per hour,
to stability for days!
I don't know how many others were devastated by the VeriSign wildcards,
or whether the differences were as dramatic elsewhere. Hopefully,
other ISPs worldwide will step forward.
I expect we can come up with more data, but I'll save most of it for
the expected future affidavits....
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
More information about the NANOG
mailing list