Latest news of the domain name industry

Recent Posts

Glitch takes out ICANN’s zone file service

Kevin Murphy, April 30, 2014, 16:50:41 (UTC), Domain Services

A bug which gave elevated privileges to new gTLD registries has taken out ICANN’s Centralized Zone Data Service for the best part of a day.

CZDS is the central clearinghouse for zone file data access requests. All new gTLD registries must participate. DI uses the data provided via the service to calculate registration numbers.

The service was turned off yesterday after registries noticed that they were able to view and approve pending requests made to rival registries and informed ICANN.

The site has been “currently undergoing maintenance” since at least 0200 UTC today. The bug was present from at least 2100 on Monday night, which was when I first heard about it.

ICANN tells me the move to take down the site yesterday was made out of “an abundance of caution” and that its techies are looking at the issue right now.

Talking to a few registries, it seems they were given super-user privileges.

They were able to review requests for zone file access made by users like DI to any new gTLD registry. They would have been able to approve such requests, registries tell me.

The contact information of the requesting party was also visible, they tell me.

I think in most cases this isn’t a big deal. I assume most CZDS users just blanket-request every file from every gTLD registry, but there could hypothetically be edge cases where a sensitive request was exposed.

For the avoidance of confusion, the bug would not have given anyone the ability to edit any zone files. CZDS is just a publishing clearinghouse, it has no functional role in the DNS.

Two other ICANN sites, the Global Domains Division portal and parts of MyICANN, both of which run on the Force.com platform, also currently appear to be down for maintenance, but it’s not currently clear if these issues are related.

Tagged: ,

Comments (13)

  1. Rubens Kuhl says:

    Nooooo, the G-word again! Aaaaargh!

  2. It is a bit frustrating. At least ICANN should have notified contacts that the site was down since some of the processing of these zonefiles would not be manual.

  3. That was fast 🙂
    “On 29 April 2014 we were notified of a potential technical problem in the
    Centralized Zone Data System (CZDS). We are working quickly to restore access to
    the CZDS, and will let you know when this occurs.”

  4. James says:

    Good thing these folks aren’t managing the root. Yet.

  5. Bernd Lessing says:

    After they fixed the bug that shut down their website, it looks like they introduced a new one: Some zone files work, others dont’t. Try getting the .guru zone file, for example. Or is it just me?

  6. Berry says:

    Similar to John, we have an issue with accessing CZDS via API. I resorted to manual downloads from the CZDS site. Of the 190 or so that we are approved, 26 produced and error of “Unknown Network Error”. An additional 8 zones were 0kb.

    We submitted a problem request to CZDS.

  7. Got an e-mail back from ICANN on it and it has been passed on to the CZDS technical people. No indication of when it will be fixed though.

    The Fourkitchens Python script (older and newer versions) got as far as downloading one file and the second file had a problem and as Berry said above, the connection was terminated. At a wild guess, it looks like fixing the registry permissions issue has broken something at the file system permissions level.

    • Kevin Murphy says:

      I use a custom script for downloading. It seems to be working okay, but I’m going to double check.

      Thanks for the comments guys.

  8. It was working earlier this morning (approx 06:00).

Add Your Comment