Verisign saw MASSIVE query spike during Facebook outage
Verisign’s .com and .net name servers saw a huge spike in queries when Facebook went offline for hours last October, Verisign said this week.
Queries for facebook.com, instagram.com, and whatsapp.net peaked at over 900,000 per second during the outage, up from a normal rate of 7,000 per second, a more than 100x increase, the company said in a blog post.
The widely publicized Facebook outage was caused by its IP addresses, including the IP addresses of its DNS servers, being accidentally withdrawn from routing tables. At first it looked to outside observers like a DNS failure.
When computers worldwide failed to find Facebook on their recursive name servers, they went up the hierarchy to Verisign’s .com and .net servers to find out where they’d gone, which led to the spike in traffic to those zones.
Traffic from DNS resolver networks run by Google and Cloudflare grew by 7,000x and 2,000x respectively during the outage, Verisign said.
The company also revealed that the failure of .club and .hsbc TLDs a few days later had a similar effect on the DNS root servers that Verisign operates.
Queries for the two TLDs at the root went up 45x, from 80 to 3,700 queries per second, Verisign said.
While the company said its systems were not overloaded, it subtly criticized DNS resolver networks such as Google and Cloudflare for “unnecessarily aggressive” query-spamming, writing:
We believe it is important for the security, stability and resiliency of the internet’s DNS infrastructure that the implementers of recursive resolvers and public DNS services carefully consider how their systems behave in circumstances where none of a domain name’s authoritative name servers are providing responses, yet the parent zones are providing proper referrals. We feel it is difficult to rationalize the patterns that we are currently observing, such as hundreds of queries per second from individual recursive resolver sources. The global DNS would be better served by more appropriate rate limiting, and algorithms such as exponential backoff, to address these types of cases
Verisign said it is proposing updates to internet standards to address this problem.
Microsoft, Yahoo and others involved in new dot-brand gTLD group
HSBC, Microsoft, Yahoo and jewelry maker Richemont have told ICANN they plan to form a new GNSO stakeholder group just for single-registrant gTLD registries.
The group would comprise dot-brand registries and — potentially — other types of single-user gTLD manager.
A letter (pdf) to ICANN chair Steve Crocker, signed by executives from the four companies, reads in part:
As a completely new type of contracted party, we do not have a home to represent our unique community. In addition, the existence of conflicts with other contracted parties makes it challenging for us to reside within their stakeholder group.
Combined, the companies have applied for about 30 single-registrant gTLDs, mostly corresponding to brands.
Richemont, which is applying for dot-brands including .cartier, is also applying for the keywords .jewelry and .watches as single-user spaces.
The group plans to discuss formalizing itself at the next ICANN meeting, in Toronto this October.
During the just-concluded Prague meeting, the GNSO’s existing registries stakeholder group accepted several new gTLD applicants — I believe mainly conventional registries — into the fold as observers.
How the influx of new gTLD registries will affect the GNSO’s structure was a hot topic for the Governmental Advisory Committee during the meeting too. I guess now it has some of the answers it was looking for.
Recent Comments