[NOC] ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations
Doug Barton
dougb at dougbarton.us
Sun Mar 19 01:58:52 UTC 2017
On 03/17/2017 10:42 AM, Mark Kosters wrote:
> On 3/17/17, 12:26 PM, "NANOG on behalf of William Herrin"
> <nanog-bounces at nanog.org on behalf of bill at herrin.us> wrote:
>
> On Fri, Mar 17, 2017 at 7:52 AM, Romeo Zwart <rz+nng at zwart.com>
> wrote:
>> RIPE NCC have issued a statement about the issue here:
>>
>> https://www.ripe.net/ripe/mail/archives/dns-wg/2017-March/003394.html
>
>>
>
>> Our apologies for the inconvenience caused.
>
> Hmm. That sounds like an ARIN-side bug too. ARIN's code responded to
> corrupted data by zeroing out the data instead of using the last
> known good data. That's awfully brittle for such a critical service.
>
> Regards, Bill Herrin
>
>
> Hi Bill,
>
> The analysis was not yet complete when the notice went out from RIPE.
> After doing a post-mortum, there were no bugs in ARIN’s software in
> regards to this issue. We followed exactly what RIPE told us to do.
> When we noticed an issue with RIPE’s updates yesterday, we notified
> them as well.
My eyebrows reacted to this the same way Bill's did. It sounds like this
is at least a semi-automated system. Such things should have sanity
checks on the receiving side when told to remove large gobs of data,
even if the instructions validate correctly.
More fundamentally, according to the RIPE report they are sending you
something called "zonelets" which you then process into actual DNS data.
Can you say something about the relative merit of this system, vs.
simply delegating the right zones to the right parties and letting the
DNS do what it was intended to do?
At minimum the fact that this automated system was allowed to wipe out
great chunks of important data calls it into question. And sure, you can
all 3 fix the bugs you found this time around, but up until these bugs
were triggered you all thought the system was functioning perfectly, in
spite of it ending up doing something that obviously was not intended.
Doug
More information about the NANOG
mailing list