nanog mailing list archives

Re: requesting hard data sources on ramifications of verisign wildcard

From: William Allen Simpson <wsimpson () greendragon com>
Date: Fri, 17 Oct 2003 01:13:37 -0400


k claffy wrote:

... 
please send any hard data reflecting observed ramifications on
security and stability of Internet infrastructure to

        secsac-comment () icann org

no hard data will be refused service


Here's a glimpse of some data for a small ISP (bcc'd to secsac).  

This mail server was clogging with spam that couldn't be rejected with
bad .com and .net incoming addresses, and with bad .com and .net 
outgoing undeliverable addresses.  The server failed (stopped responding 
to new SMTP requests, and/or crashed) again and again:

Sun, Sep 21, 2003 11:52 PM  mail.WaterValley.Net    2 minutes, 35 seconds
Mon, Sep 22, 2003 00:01 AM  mail.WaterValley.Net    4 minutes, 7 seconds
Mon, Sep 22, 2003 00:12 AM  mail.WaterValley.Net    5 minutes, 48 seconds
Mon, Sep 22, 2003 01:18 AM  mail.WaterValley.Net    1 minute, 1 second
Mon, Sep 22, 2003 04:07 AM  mail.WaterValley.Net    5 minutes, 16 seconds
Mon, Sep 22, 2003 04:23 AM  mail.WaterValley.Net    3 minutes, 3 seconds
Mon, Sep 22, 2003 04:33 AM  mail.WaterValley.Net    1 minute, 19 seconds
Mon, Sep 22, 2003 04:37 AM  mail.WaterValley.Net    9 minutes, 4 seconds
Mon, Sep 22, 2003 06:47 AM  mail.WaterValley.Net    22 minutes, 58 seconds
Mon, Sep 22, 2003 07:15 AM  mail.WaterValley.Net    6 minutes, 59 seconds
...
Mon, Sep 22, 2003 09:53 PM  mail.WaterValley.Net    3 minutes, 0 seconds
Mon, Sep 22, 2003 10:01 PM  mail.WaterValley.Net    5 minutes, 0 seconds
Mon, Sep 22, 2003 10:13 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 10:21 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 10:31 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 10:39 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 10:49 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 10:59 PM  mail.WaterValley.Net    3 minutes, 1 second
Mon, Sep 22, 2003 11:07 PM  mail.WaterValley.Net    3 minutes, 2 seconds
Mon, Sep 22, 2003 11:17 PM  mail.WaterValley.Net    1 minute, 3 seconds

Then, A MIRACLE OCCURRED!  The problems STOPPED!

That miracle was BIND 9.2.3rc3, for which we are eternally grateful.  
As I posted to NANOG on Tue, 23 Sep 2003 02:35:48 -0400:

William Allen Simpson wrote: 
# Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog 
# linux powercomputing machine tonight.  It worked.  And the mail queues 
# began clearing out. ...

The next downtime (for restoring saved mail queues) was: 
Wed, Sep 24, 2003 06:39 PM  mail.WaterValley.Net    21 minutes, 0 seconds

Note the dramatic difference -- from failures several times per hour, 
to stability for days!

I don't know how many others were devastated by the VeriSign wildcards, 
or whether the differences were as dramatic elsewhere.  Hopefully, 
other ISPs worldwide will step forward.

I expect we can come up with more data, but I'll save most of it for 
the expected future affidavits.... 
-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Current thread:

requesting hard data sources on ramifications of verisign wildcard k claffy (Oct 18)
- Re: requesting hard data sources on ramifications of verisign wildcard Eric A. Hall (Oct 18)
- Re: requesting hard data sources on ramifications of verisign wildcard William Allen Simpson (Oct 18)