Entire .SE TLD Drops Off the Internet

← Back to Stories (view on slashdot.org)

Entire .SE TLD Drops Off the Internet

Posted by timothy on Tuesday October 13, 2009 @04:01AM from the absolut-typo dept.

Icemaann writes "Pingdom and Network World are reporting that the SE tld dropped off the internet yesterday due to a bug in the script that generates the SE zone file. The SE tld has close to one million domains that all went down due to missing the trailing dot in the SE zone file. Some caching nameservers may still be returning invalid DNS responses for 24 hours."

207 comments

Min score:

Reason:

Sort:

TPB by Anonymous Coward · 2009-10-13 04:03 · Score: 1, Funny

They are going to extremes in Sweden to get thepiratebay.org off the internet!
1. Re:TPB by Anonymous Coward · 2009-10-13 04:25 · Score: 0
  
  I wonder what part of .SE TLD you missed in the title.
2. Re:TPB by Anonymous Coward · 2009-10-13 04:40 · Score: 0
  
  I was going to riff on that but you beat me to it. But I would have said:
  Apparently the *aa's are also too stupid to realize that just because The Pirate Bay admins are Swedish, it doesn't mean that TPB has a .se tld.
  That way, it would have been funny.
3. Re:TPB by nstlgc · 2009-10-13 04:47 · Score: 1
  
  Because we all know the MAFIAA are so technically capable!
  
  --
  I'm Rocco. I'm the +5 Funny man.
4. Re:TPB by trum4n · 2009-10-13 05:11 · Score: 1
  
  Sweden? I don't think so! -Prof. Farnsworth
5. Re:TPB by KevinKnSC · 2009-10-13 06:23 · Score: 3, Funny
  
  It looks like someone messed up the summary. I'm pretty sure it should be:
  
  Peengdum und Netvurk Vurld ere-a repurteeng thet zee SE tld drupped ooffff zee internet yesterdey dooe-a tu a boog in zee screept thet generetes zee SE zune-a feele-a. Zee SE tld hes cluse-a tu oone-a meelliun dumeeens thet ell vent doon dooe-a tu meessing zee treeeling dut in zee SE zune-a feele-a. Sume-a cecheeng nemeserfers mey steell be-a retoorneeng infeleed DNS respunses fur 24 huoors.
6. Re:TPB by Anonymous Coward · 2009-10-13 06:51 · Score: 0
  
  Peengdum und Netvurk Vurld ere-a repurteeng thet zee SE tld drupped ooffff zee internet yesterdey dooe-a tu a boog in zee screept thet generetes zee SE zune-a feele-a. Zee SE tld hes cluse-a tu oone-a meelliun dumeeens thet ell vent doon dooe-a tu meessing zee treeeling dut in zee SE zune-a feele-a. Sume-a cecheeng nemeserfers mey steell be-a retoorneeng infeleed DNS respunses fur 24 huoors. Børk! Børk! Børk!
  
  Fixed that for you.
No big deal by RPoet · 2009-10-13 04:04 · Score: 2, Informative

The downtime lasted 30 minutes, and most domains were probably cached by nameservers anyway.

--
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
1. Re:No big deal by wsanders · 2009-10-13 04:11 · Score: 3, Informative
  
  Yeah, been there done that. *My* fumble only brought 10,000 domains down for about 10 minutes, and no one noticed. (I think all the domains hosted only cat pictures anyway.)
  Sorry, that's as big a responsibility as any employer has ever deemed suitable for my incompetent ass.
  
  --
  Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
2. Re:No big deal by eldavojohn · 2009-10-13 04:11 · Score: 5, Funny
  
  The downtime lasted 30 minutes, and most domains were probably cached by nameservers anyway.
  I once viddied an animated documentary about a small town in Colorado that lost the internet for 22 minutes. It was not pretty. Our hearts and minds go out to you, people of Sweden. I cannot even fathom what that would be like ... I hope the looting and rioting has died down with the restoration of the internet.
  
  --
  My work here is dung.
3. Re:No big deal by Anonymous Coward · 2009-10-13 04:15 · Score: 0
  
  That's OK. If you were competant you might not be inclined to get out of computers. Which you should.
4. Re:No big deal by scott_karana · 2009-10-13 04:22 · Score: 2, Insightful
  
  While the impact of this is no big deal, it's still kind of scary that the people running a decently-sized ccTLD would make such a novice mistake on their zonefile.
5. Re:No big deal by Anonymous Coward · 2009-10-13 04:36 · Score: 0
  
  I live inside a computer, you insensitive clod!
6. Re:No big deal by CorporateSuit · 2009-10-13 04:45 · Score: 4, Funny
  
  The downtime lasted 30 minutes, and most domains were probably cached by nameservers anyway.
  I didn't notice the DNS freak out, but I did notice the internet's smug meter had dropped about 30%.
  
  --
  I am the richest astronaut ever to win the superbowl.
7. Re:No big deal by Anonymous Coward · 2009-10-13 04:46 · Score: 0
  
  It was not the whole internet, it was only .se tld ...
8. Re:No big deal by eln · 2009-10-13 04:55 · Score: 5, Insightful
  
  The actual downtime is no big deal, but the reason it happened is. Evidently, the registrar for an entire country's domain likes to roll out changes to the primary zone file without any sort of testing or syntax checking first. Simply having a small network (one or two computers) running a test root server, and running your scripts against that first, would have discovered the bug.
  
  DNS is very simple, but it's just as prone to human error as anything else. If you're responsible for the records of a large number of domains (like, say, an entire country), you probably ought to take some time to develop proper testing and change control procedures before you fiddle with it. It sounds like these guys didn't take it seriously enough and got burned. I hope they'll learn their lesson from this and change their procedures.
9. Re:No big deal by someone1234 · 2009-10-13 05:21 · Score: 1
  
  For the pool souls in the .se domain, it was the end of the universe.
  
  --
  Patents Drive Free Software as Hurricanes Drive Construction Industry
10. Re:No big deal by Anonymous Coward · 2009-10-13 05:27 · Score: 0
  
  At least the offending missing character was a visible character. When I worked for a major telecomm here in the US, one of our partner companies submitted a text file generated on a *nix machine. Ergo, each line feed simply contained the LF. After editing the file from a Windows machine the LF would, silently, be replaced by Notepad.exe with a CRLF. Before I discovered this little problem, it would literally rock our world and the whole house of cards would mysteriously come crumbling down. It took some time for me to discover that it was indeed this little file's use of the LF.
  I found it more interesting that the reason why the partner company didn't want to muck with it was because the file would be 'validated' with their servers. The inclusion of two CRs threw off the checksum value and nothing would work.
  At least these guys could simply open the file and discern what the problem was. Yeah, shame on them.
11. Re:No big deal by corbettw · 2009-10-13 05:33 · Score: 1
  
  No big deal? No big deal??? Where the hell else am I supposed to go to look at pictures of hot Swedish women hitting the nightclub scene (in a way that's at least a little SFW) if I can't get to http://www.thelocal.se/?
  
  --
  God invented whiskey so the Irish would not rule the world.
12. Re:No big deal by JustOK · 2009-10-13 05:36 · Score: 3, Funny
  
  Are you my motherboard?
  
  --
  rewriting history since 2109
13. Re:No big deal by Anonymous Coward · 2009-10-13 05:43 · Score: 1, Informative
  
  I hope they'll learn their lesson from this and change their procedures.
  Du måste vara ny här.
14. Re:No big deal by The+Archon+V2.0 · 2009-10-13 05:48 · Score: 1
  
  It was not the whole internet, it was only .se tld ...
  Can I riot anyway?
15. Re:No big deal by MrMista_B · 2009-10-13 05:55 · Score: 2, Insightful
  
  You expect them to be absolutely perfect all the time no matter what, forever and ever? /That's/ unrealistic.
16. Re:No big deal by Beardo+the+Bearded · 2009-10-13 06:05 · Score: 2, Interesting
  
  My biggest bug resulted in about a dozen tigers getting tranquilized.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
17. Re:No big deal by Anonymous Coward · 2009-10-13 06:06 · Score: 1, Insightful
  
  I expect automated sanity checks before a modified zonefile goes live. Like, what would a domain name server receive when asking for a well known domain under that TLD? If that doesn't result in at least some records, warn the admin that the zonefile might not be correct.
18. Re:No big deal by Chris+Mattern · 2009-10-13 06:12 · Score: 1
  
  Depends. Do you live in Sweden? Do you have Swedish relatives? Are there any Swedish meatballs in your refrigerator?
19. Re:No big deal by mcgrew · 2009-10-13 06:21 · Score: 2, Insightful
  
  I wish browsers would store the IP address of the page as well as the domain name in bookmarks. That way if the DNS server goes down you could still get to the site. Of course, the primary lookup should still be the domain name, since a site can have its address changed; the browser would only look at the IP if the DNS lookup failed.
  
  --
  Free Martian Whores!
20. Re:No big deal by Hurricane78 · 2009-10-13 06:28 · Score: 1
  
  Nah. In Sweden, when you want to see hot chicks, you just have to go outside. Even looking out the window might suffice. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
21. Re:No big deal by CorporateSuit · 2009-10-13 06:35 · Score: 5, Funny
  
  DNS is very simple, but it's just as prone to human error as anything else.
  Are you kidding? I've been programming DNS for a long time, and if theirs one thing I learned, its that programmers like me don't make errors.
  
  --
  I am the richest astronaut ever to win the superbowl.
22. Re:No big deal by Anonymous Coward · 2009-10-13 06:43 · Score: 0
  
  Don't you mean a TLD server, and not a root server? I suppose you could have one test server that claimed to be authoritative for both the root and the TLD. I would personally, run a test root server with a modified entry for "se.", that points to the test TLD server. I would then run my test resolving DNS server with a configuration that treats my test root server as the sole real root server. There is no need to run test 2ld servers since the reals ones work fine. Just have the client look up a bunch of different adresses, of a large variety of types, including some outside the se tld, to make sure everything works.
  That is a few more than two machines, but could still be run in VMs on a single low end server without too much difficulty. This would only protect against some very specific types of problems, and not ones such as a change in the zone file requires more processing for each lookup for some reason, which could cause problems with load, but it catches problems where the zone file formatting is invalid, and whatnot.
23. Re:No big deal by pyrrhonist · 2009-10-13 06:54 · Score: 4, Funny
  
  but I did notice the internet's smug meter had dropped about 30%.
  Norwegian detected.
  
  --
  Show me on the doll where his noodly appendage touched you.
24. Re:No big deal by Mister+Whirly · 2009-10-13 07:13 · Score: 1
  
  Yes, but all that damn annoying ABBA and Ace of Base is so distracting you can't DO anything with(to) the hot chicks.
  
  --
  "But this one goes to 11!"
25. Re:No big deal by Anonymous Coward · 2009-10-13 07:23 · Score: 0
  
  The downtime lasted 30 minutes, and most domains were probably cached by nameservers anyway.
  I once viddied an animated documentary about a small town in Colorado that lost the internet for 22 minutes. It was not pretty. Our hearts and minds go out to you, people of Sweden. I cannot even fathom what that would be like ... I hope the looting and rioting has died down with the restoration of the internet.
  That is nothing. In Argentina we DNS problems every 5 o 6 months. Large regions in Argentina can't access the web for hours, and even for days.
  For those who love Adam Smith, in Argentina we have only two ISP providers, Telecom and Telefonica. Telefonica has bougth Telecom, so now we have a BIG monopoly on cell phones, wired phones, and internet services.
26. Re:No big deal by marsu_k · 2009-10-13 07:25 · Score: 1, Redundant
  
  Are you kidding? I've been programming DNS for a long time, and if theirs one thing I learned, its that programmers like me don't make errors.
  If one doesn't count spelling errors, apparently.
27. Re:No big deal by Sl4shd0t0rg · 2009-10-13 07:33 · Score: 1
  
  This is serious! My Saab wouldn't start and all the doors were locked at my local Ikea during this outage you insensitive clod!
28. Re:No big deal by Anonymous Coward · 2009-10-13 07:41 · Score: 0
  
  The episode was actually set over several days
29. Re:No big deal by dissy · 2009-10-13 07:56 · Score: 1
  
  That feature would be very handy.
  The main reason one can't simply record host/ip pairs right now, is due to named-based virtual web servers.
  Even if you put in the IP manually, without sending the correct domain in the http request, you won't get the proper page.
  Having the IP as a separate field in the bookmarks would let the browser connect to any IP you put there (be it cached, or manually changed when a server is renumbered), but it would still have the needed data to send in the http request to make the webserver work properly. /me smells a plugin request!
30. Re:No big deal by Web_Teat · 2009-10-13 08:27 · Score: 1
  
  whoosh!
  
  --
  Per intercessionem Sancti Blasii liberet te Deus a malo gutteris et a quovis alio malo.
31. Re:No big deal by dmmiller2k · 2009-10-13 09:04 · Score: 1
  
  So apparently it was nothing like the South Park episode where South Park lost its internet.
  
  --
  "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
32. Re:No big deal by Anonymous Coward · 2009-10-13 09:20 · Score: 0
  
  This happened in Sweden - of course.
  I'm sure the change was made at like 4:45 PM (or 16:45 if you prefer) and you know...the day was over ...and if he'd been late getting home he'd have heard about it.
  Happens all the time.
33. Re:No big deal by Anonymous Coward · 2009-10-13 09:25 · Score: 0
  
  Yes. It's a bit dusty in here.
34. Re:No big deal by Anonymous Coward · 2009-10-13 09:46 · Score: 0
  
  Where the hell else am I supposed to go to look at pictures of hot Swedish women hitting the nightclub scene
  You could go to the nightclub!
35. Re:No big deal by zapakh · 2009-10-13 10:07 · Score: 1
  
  I once viddied an animated documentary about a small town in Colorado that lost the internet for 22 minutes. It was not pretty. Our hearts and minds go out to you, people of Sweden. I cannot even fathom what that would be like ... I hope the looting and rioting has died down with the restoration of the internet.
  At least it wasn't Finland.
  All the same, somebody better tell Norway. They were really close.
36. Re:No big deal by turbidostato · 2009-10-13 12:21 · Score: 1
  
  "For those who love Adam Smith, in Argentina we have only two ISP providers, Telecom and Telefonica. Telefonica has bougth Telecom, so now we have a BIG monopoly on cell phones, wired phones, and internet services."
  Ahhh... but that's prue free market in action, señor mío, so you must be grateful.
37. Re:No big deal by turbidostato · 2009-10-13 12:30 · Score: 1
  
  "When I worked for a major telecomm here in the US, one of our partner companies submitted a text file generated on a *nix machine [...] I found it more interesting that the reason why the partner company didn't want to muck with it was because the file would be 'validated' with their servers. The inclusion of two CRs threw off the checksum value and nothing would work."
  So, the partner company sent you some files. You inserted them on your system which sudden and misteriosuly failed. You blame your partners. Your partners show beyond doubt that *you* trashed the files so it was your problem. And still you find it "interesting"?
  "At least these guys could simply open the file and discern what the problem was. Yeah, shame on them."
  So in the end, even when it was obviously *your* problem, it was *them* the ones that had to diagnose it and still you "shame on them"?
  No wonder you post as an anonymous coward. Certainly I wouldn't want to have you for a bussiness partner.
38. Re:No big deal by tdknox · 2009-10-13 13:08 · Score: 1
  
  Speaking as someone who has done root DNS modifications, Sweden *doesn't do* the modifications. They submit a request, which is verified by two separate agencies, then forwarded on to VeriSign who makes the TLD change. Once the change is made, it is (supposedly) verified by at least 1 other person, and several scripts before being pushed live.
  
  --
  Did you know that gullible is not in the dictionary?
39. Re:No big deal by Anonymous Coward · 2009-10-13 14:17 · Score: 0
  
  He was being sarcastic.
40. Re:No big deal by Anonymous Coward · 2009-10-13 14:36 · Score: 0
  
  Are you kidding? I've been programming DNS for a long time, and if theirs one thing I learned, its that programmers like me don't make errors.
  If one doesn't count spelling errors, apparently.
  Both "theirs" and "its" are spelled correctly, they're just misused.
41. Re:No big deal by Kalriath · 2009-10-13 14:54 · Score: 2, Informative
  
  Incorrect. The zone file is hosted by Autonomica AB (who own the servers that are authoritative for the "se" domain according to the root servers).
  If you were talking about a change to the NS records, you'd - I assume - be correct - Verisign operates a.root-servers.net (which I assume is the root)
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
42. Re:No big deal by Kalriath · 2009-10-13 14:57 · Score: 1
  
  Incorrect. Notepad does not interpret LF or CR on their own as a line break, so you'd find it pretty obvious that the file is malformed when the whole damn thing shows up on a single line. Wordpad will transparently fix it though.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
43. Re:No big deal by Vintermann · 2009-10-13 17:20 · Score: 1
  
  "Yeah, been there done that. *My* fumble only brought 10,000 domains down for about 10 minutes, and no one noticed. (I think all the domains hosted only cat pictures anyway.)"
  ICANN has cheezburger? (wow, someone has registered that domain already!)
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
44. Re:No big deal by Carewolf · 2009-10-13 18:55 · Score: 1
  
  My biggest bug resulted in about a dozen tigers getting tranquilized.
  So you are the one releasing giant tranquilizing bugs into the jungle?
45. Re:No big deal by feargal · 2009-10-13 21:28 · Score: 1
  
  Sorry, that's incorrect, name-based virtual hosts pose no problem to this.
  The webserver determines which virtual host is being requested by examining the Host: field in the http header. This happens well after the tcp session has been established, and that happens after the ip address has been determined.
  When the browser looks for domain.example, it'll ask whatever resolver it uses to find an ip address to use. Once it has that ip address, it connects to it, and only then tells the webserver which host it wants. There is nothing to prevent the browser from using it's own cached version of the ip address and sucessfully making a connection.
  
  --
  "A goldfish was his muse, eternally amused"
46. Re:No big deal by vegiVamp · 2009-10-13 21:47 · Score: 1
  
  No, but I would expect them to have a staging service in place.
  
  --
  What a depressingly stupid machine.
47. Re:No big deal by FreakyGreenLeaky · 2009-10-13 22:10 · Score: 1
  
  whoosh!
48. Re:No big deal by dissy · 2009-10-14 05:25 · Score: 1
  
  Sorry, that's incorrect, name-based virtual hosts pose no problem to this.
  The webserver determines which virtual host is being requested by examining the Host: field in the http header. This happens well after the tcp session has been established, and that happens after the ip address has been determined.
  Yes, exactly.
  So when your bookmark is http://10.1.2.3/ then the browser will connect to that IP, and send Host: 10.1.2.3
  No where in that transaction does it realize 10.1.2.3 should be www.example.com
  With the setup I suggested, the bookmark would have BOTH fields.
  www.example.com and a seperate 10.1.2.3
  If the IP is given, it will not resolve www.example.com, but connect directly to 10.1.2.3 and send Host: www.example.com instead of the current method of sending Host: 10.1.2.3
  
  When the browser looks for domain.example, it'll ask whatever resolver it uses to find an ip address to use. Once it has that ip address, it connects to it, and only then tells the webserver which host it wants.
  
  And as I said, with nothing but an IP in a bookmark, that part will never happen.
  
  There is nothing to prevent the browser from using it's own cached version of the ip address and sucessfully making a connection.
  Correct. There is nothing preventing it, it is only that none of them do that.
  My suggestion (actually the GP suggestion) is that the browsers SHOULD do that.
There goes my favorite web site ! by Anonymous Coward · 2009-10-13 04:04 · Score: 3, Funny

Goat.se
1. Re:There goes my favorite web site ! by Tetsujin · 2009-10-13 04:57 · Score: 2, Funny
  
  Goat.se
  Huh... that's interesting. I've never heard of that one before... I think, though, that based on your recommendation I'll share the link with the rest of the office. I've seen a lot of your posts here in Slashdot, Anonymous Coward, and all the ones I've seen have been pretty highly rated, so I'm guessing you wouldn't link me to a website that wasn't interesting.
  
  --
  Bow-ties are cool.
2. Re:There goes my favorite web site ! by TaoPhoenix · 2009-10-13 05:32 · Score: 1
  
  (humor)
  The satellite Microsoft Retro Fan Site Windows98.se also went down.
  And look. My sig this month is all about your joke.
  (No Closing tag. The humor never ends.)
  
  --
  My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
3. Re:There goes my favorite web site ! by Anonymous Coward · 2009-10-13 06:05 · Score: 0
  
  so I'm guessing you wouldn't link me to a website that wasn't interesting.
  It's interesting all right. In a "May you live in interesting times" Chinese curse sort of way.
4. Re:There goes my favorite web site ! by hldn · 2009-10-13 06:54 · Score: 1
  
  that is a handsome looking fellow on that site.
  
  --
  http://www.accountkiller.com/removal-requested
5. Re:There goes my favorite web site ! by AliasMarlowe · 2009-10-13 07:28 · Score: 2, Funny
  
  Goat.se
  Arrgh... the horror... http://goat.se/cx You'll want to claw your eyes out!
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
6. Re:There goes my favorite web site ! by Anonymous Coward · 2009-10-13 10:10 · Score: 0
  
  Welcome to the Internet. Do you plan on staying long?
I downloaded.. by Anonymous Coward · 2009-10-13 04:08 · Score: 0

it all off Pirate Bay already.
An oft overlooked single point of failure? by Anonymous Coward · 2009-10-13 04:12 · Score: 0

Wouldn't it be better if you could have 2 totally independent firms managing each top-level domain name? Sure it'd be some work to make sure updates get to each of them; but it might protect against things like this.
1. Re:An oft overlooked single point of failure? by sexconker · 2009-10-13 04:25 · Score: 3, Interesting
  
  Uh, it would make no difference.
  DNS is hierarchical, and has teh caching.
  2 independent groups running DNS would strive to make sure they sync with each other quickly - thus all failures would sync quickly too.
  The difference between
  - the delay of a correct change propagating across the two firms running DNS
  - the delay of an incorrect change propagating within a single DNS
  would essentially be zero.
  No good things could come from what you propose unless it was specifically designed to have a 24 hour delay or something.
  Can't get to milkmaids.se ? Try milkmaids.se via DNS2 to get a 24-hour old version.
  This is something the CURRENT DNS system could support - explicitly calling for older versions.
  In fact, it might be worthwhile. Somebody write an RFC.
2. Re:An oft overlooked single point of failure? by Otto · 2009-10-13 05:25 · Score: 1
  
  You can't protect against a single point of failure when you're talking about a person updating a system. Redundancy protects against computer error, not human error.
  See, ultimately, somebody, somewhere has to be responsible for the name updating. Having it in two places just means that an incorrect update gets pushed to both places by the person making the change.
  In this case, the effects were minimized by the nature of DNS itself, and the caching mechanisms involved. Most servers probably never saw the changes. Those that did will get their caches cleared fairly rapidly, and the effect is minimal.
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
3. Re:An oft overlooked single point of failure? by Anonymous Coward · 2009-10-13 05:53 · Score: 0
  
  "You can't protect against a single point of failure when you're talking about a person updating a system."
  Of course you can.
  When transcribing medical records, double-or-triple keying the data is the norm.
  If it were an entirely different company maintaining the redundant copy, it's very unlikely they would manually re-create the same mistake.
4. Re:An oft overlooked single point of failure? by flyingfsck · 2009-10-13 06:28 · Score: 1
  
  No, it was a single dot of failure.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
5. Re:An oft overlooked single point of failure? by jtcampbell · 2009-10-13 07:23 · Score: 1
  
  What about regression testing?
  It'd be quite possible to run a check and throw a warning if a change effects greater than a certain percentage of domains. Or you could check against a sample of domains that really aren't going to change (I'm thinking mcdonalds.se, ibm.se etc etc).
6. Re:An oft overlooked single point of failure? by Anonymous Coward · 2009-10-13 09:48 · Score: 0
  
  How many people read the post above and actually tried to access milkmaids.se?
7. Re:An oft overlooked single point of failure? by turbidostato · 2009-10-13 12:40 · Score: 1
  
  "In this case, the effects were minimized by the nature of DNS itself"
  Well, at least somebody shows some common sense.
  Of course, losing a whole TLD even if only for half an hour is a shame probably the one that did it won't include in his resume, but the fact is that nobody will expend more on secure a resource than it's very value. DNS is basically distributed, cached information described on plain text files; if an update works (which is vastly most of the time), it works; if it isn't you detect the failure within seconds (logs at reload), it is not so tragical (the previous information will be cached through the Internet), it's easy to spot (is a diff away) and you can easily revert to the previous version plus higher serial number in the meantime. No need for triplechecks that triplicates the costs and will bring in their own share of bugs to the equation.
8. Re:An oft overlooked single point of failure? by Otto · 2009-10-16 04:20 · Score: 1
  
  Of course you can.
  When transcribing medical records, double-or-triple keying the data is the norm.
  And where does this data come from? The doctor? The testing lab? What happens when the error is in the source that you give to three people to key in?
  Ultimately, all data to be input derives from somewhere. An error there will just get duplicated down the line.
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
9. Re:An oft overlooked single point of failure? by Otto · 2009-10-16 04:31 · Score: 1
  
  What about regression testing?
  It'd be quite possible to run a check and throw a warning if a change effects greater than a certain percentage of domains. Or you could check against a sample of domains that really aren't going to change (I'm thinking mcdonalds.se, ibm.se etc etc).
  - The total impact was less than an hour.
  - The number of affected users was likely only in the dozens range (thanks to DNS caching).
  - Even individual computers use DNS caching nowadays. All Windows machines, for example, cache DNS lookup results for a default of a day or so.
  - Do we really need to develop a cumbersome and expensive process to solve a most likely one-time problem that affected virtually nobody in any serious way?
  
  --
  - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
change control / management, anyone? by SuperBanana · 2009-10-13 04:18 · Score: 5, Insightful

I seriously hope someone is fired or loses a contract over this. Where was the validation, change control, etc? I would expect that at the TLD level, a change to a configuration file would have to be inspected by someone AND run through some syntax-checking scripts...
As for the person who was modded up for saying "hey, no big deal, fixed in 30 minutes!", not quite. DNS servers (and individual computers!) cache negative results. Anything anyone did a query on during those 30 minutes will be negatively cached by their system and their local DNS server. Granted, a whole lot of local Swedish ISPs and network providers have probably flushed their DNS server caches, but it's still going to seriously impact traffic to many, many sites, especially for everyone outside Sweden.

--
Please help metamoderate.
1. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:26 · Score: 0
  
  Why would anyone outside of Sweden want to access a .se domain anyway?
2. Re:change control / management, anyone? by Aphoxema · 2009-10-13 04:33 · Score: 1
  
  It really isn't a big deal. The mistake was made, the world has the opportunity to learn from it and the economic impact was probably small but scalable enough to take seriously.
  Now if it happened again I'd hope action were taken... don't be so vengeful, SuperBanana!
  
  --
  "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
3. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:36 · Score: 4, Funny
  
  Sweden porn?
  IKEA instruction manuals?
4. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:37 · Score: 0
  
  F*** You! I right code for airplane fuel management systems and there is no need for review or even testing. Design is almost non-existent, too. Our design process goes as follows Late on Thursday with a Friday deadline. We go out to our local bar for some drinks. After, a bit of squabbling we right the requirement down on some napkins; pick our programming language with help of a dart board. Get back to the office, well, most of us are actually are going there for first time this week. We ship whatever code we get done by 5 pm. Never had any code problems.
5. Re:change control / management, anyone? by soup4you2 · 2009-10-13 04:38 · Score: 1
  
  Might be a small issue, but no reason to get somebody fired over.. People make mistakes all the time.
6. Re:change control / management, anyone? by e2d2 · 2009-10-13 04:50 · Score: 2, Insightful
  
  I'll go one better and say we should try him in a military tribunal and sentenced to hard time in ADX. That will send the world a message - NO MISTAKES OR ELSE.
  Get real man, this is a human error. Your struggle for perfection baffles my monkey brain.
7. Re:change control / management, anyone? by Mathness · 2009-10-13 04:50 · Score: 4, Funny
  
  I seriously hope someone is fired or loses a contract over this.
  You'll be happy to know that the person responsible have been found. The person in question was described as having unusual bushy eyebrows and speaking in a thick Swedish accent. His last comment about the incident, before being dragged away, was "bork bork bork".
  
  --
  Carbon based humanoid in training.
8. Re:change control / management, anyone? by Neil+Hodges · 2009-10-13 04:52 · Score: 1
  
  Don't you mean "I wrong code" in this context?
9. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:53 · Score: 0
  
  Thank you, i needed a good laugh today :)
10. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:58 · Score: 0
  
  Wow, what a whiny little brat you are. Did mummsy drop wyou on your heady-boos?
11. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 04:59 · Score: 0
  
  In my experience, excessive paperwork makes such things more likely, not less.
  "Change control" in particular. PHBs don't make good programmers, and only PHBs think "change control" means more than "testing your code".
12. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 05:02 · Score: 0
  
  Yeah, you don't live in Sweden, that's what I'm hearing.
  Fire someone for making a mistake or error? Not in this country.
  Sweden, where the unions protect your ass
13. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 05:02 · Score: 0
  
  We ship whatever code we get done by 5 pm. Never had any code problems.
  Of course anyone with the described schedule would NEVER have code problems.
  (Except for lack of... LOL)
14. Re:change control / management, anyone? by CRiMSON · 2009-10-13 05:05 · Score: 1
  
  I hope you get fired when you make you a mistake.
  
  --
  oogly boogly!
15. Re:change control / management, anyone? by Abreu · 2009-10-13 05:05 · Score: 1
  
  Sweden porn?
  IKEA instruction manuals?
  For some reason, this came to my mind after reading your post: IKEA Erotica
  
  --
  No sig for the moment.
16. Re:change control / management, anyone? by cjeze · 2009-10-13 05:08 · Score: 1
  
  To Err Is Human, To Forgive Divine.
  
  Even with validation, change control etc errors can occur. Even with the most rigorous testing errors can happen, just look at NASA they are rocket scientists and even they make mistakes every now and then. Next time it could be you.
17. Re:change control / management, anyone? by Phred+T.+Magnificent · 2009-10-13 05:10 · Score: 1
  
  If this is the first time the responsible party has made a mistake like this, then it probably doesn't need to be a career-terminating experience.
  With that said, though, you're entirely right that there should have been validation and change control!
  
  --
  Where is the wisdom we have lost in knowledge?
  Where is the knowledge we have lost in information?
18. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 05:21 · Score: 0
  
  ...when you make you a...
  You're fired!
19. Re:change control / management, anyone? by marc_gerges · 2009-10-13 05:27 · Score: 1
  
  I seriously hope someone is fired or loses a contract over this.
  It seems a silly idea to fire somebody just after having invested $(whatever_this_snafu_is_supposed_to_have_cost) into his education.
20. Re:change control / management, anyone? by davebooth · 2009-10-13 05:30 · Score: 3, Insightful
  
  Right AND wrong in one post :)
  Excessive paperwork like 30 min to fill out a change request form to do something like make a 30 second edit to a config file and sighup a daemon is stupid and you'll hear no argument from me on that. Change control per se however, is essential, particularly in a large enterprise. Running part of that kind of infrastructure without change control would be like trying to manage the kernel source tree without cvs (or svn or $REPOS_OF_CHOICE, analogy holds either way.)
  The problem is not change control, its the way it is implemented. Change control methodology is designed by PHBs who haven't actually done the tech work in years, if they ever did. It's then scribbled all over by a "business analyst" who thinks a sigpipe is a plumbing problem and by the time guys actually doing the work get hold of it it has become a nightmare of procedural BS when all you really needed was a way to make sure everything you do to a live production system is documented and that anything other than emergency break-fix at least got basic testing and a second pair of eyes looking at it before rolling it out.
  
  --
  I had a .sig once. It got boring.
21. Re:change control / management, anyone? by RabidMonkey · 2009-10-13 05:30 · Score: 5, Insightful
  
  As a DNS admin myself, touching high value zones, let me tell you, missing a stupid dot happens all the time. All the change control in the world doesn't help when you just don't type one little period. Even more helpfully, most tools won't notice and the zone will pass a configuration check because missing the trailing "." is syntactically correct.
  Let me add as well that "change management" that you want is just fantastic .. no making changes during core hours. When you run a 24/7 business, non-core hours means something like 2am. at 2am, I, and most mammals, are not at their mental best, so missing a single dot isn't horribly hard.
  The only thing I'd suggest they do is use an offline test box for zones, then promote that change to prod. Then, you can load all the mistakes you want, do your digs, and if stuff works, THEN you move it to prod. I never ever make changes on production servers, they are done offline, tested, then put into prod with scripts. It makes it a lot harder for missing periods to make it into production.
  Finally, this is a good reason why negative caching should have low TTLs. If you run a DNS server that can't handle low neg-caching TTLs, it's time to upgrade from a 386.
  Cheers.
  
  --
  We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
22. Re:change control / management, anyone? by amorsen · 2009-10-13 05:41 · Score: 1
  
  Running part of that kind of infrastructure without change control would be like trying to manage the kernel source tree without cvs (or svn or $REPOS_OF_CHOICE, analogy holds either way.)
  
  I hate to break it to you, but until 2002 the Linux kernel was managed without automated version control. It worked quite well, actually.
  
  --
  Finally! A year of moderation! Ready for 2019?
23. Re:change control / management, anyone? by drinkypoo · 2009-10-13 05:53 · Score: 1
  
  I think the big failure here is that anyone is ever editing the file by hand. It should be created programatically and edited only with a tool so that an error like this can never happen. (Of course, other errors are possible; now you have to vet your code. But the tool need not be complex, and in fact should be small enough to be provable if you so desire.)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
24. Re:change control / management, anyone? by CRiMSON · 2009-10-13 05:55 · Score: 0, Flamebait
  
  And your a fucking douche.. I guess we're even...
  
  --
  oogly boogly!
25. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 05:55 · Score: 0
  
  Of course they stage this kind of stuff. It's a top level domain. Do you think they would get the contact to run it if they didn't? In one of the world's most wired nations? (Together with other northern European states and South Korea.)
  Somehow a bug in the script that moved out the zone to production caused this. And none of the tests caught it. We don't know the details yet. But it caused big disruptions, that's for sure.
  Also, upgrade from a 386? A TLD with a million records and running dnssec in production? I don't think you fully understand the scope of running these things. The talk about negative caching also leads me to believe you haven't thought this through.
26. Re:change control / management, anyone? by icebraining · 2009-10-13 05:56 · Score: 1
  
  Yes, that's why we have testbeds. The problem is not the missing character or whatever, is testing stuff before making a change in a system which affects thousands of websites.
  
  --
  Dilbert RSS feed
27. Re:change control / management, anyone? by Chris+Mattern · 2009-10-13 05:58 · Score: 2, Insightful
  
  Even more helpfully, most tools won't notice and the zone will pass a configuration check because missing the trailing "." is syntactically correct.
  Not if the configuration check you wrote checks for the trailing "." anyways. And if it doesn't, you need to rewrite it.
28. Re:change control / management, anyone? by Burdell · 2009-10-13 06:04 · Score: 1
  
  Obviously, it passed syntax-checking, or the server wouldn't have loaded it. What you are looking for is semantic-checking, which is much more difficult. I expect that the generation scripts will be expanded to check for more things; that's generally what happens (you check for what you can think of, and expand the checking when someone thinks of a better way to break things).
  Negative caching (in BIND anyway) tops out at 3 hours (it looks like .se has it set to 2 hours). The NS record TTL is 2 days, so only about 1/96 of servers regularly looking up .se entries would have made a request during the 30 minute window.
  As for somebody being fired for making one relatively simple mistake: were you fired from McDonald's, Burger King, and Wendy's every time you dropped a fry on the floor?
  ObQuote: "Ok! Ok! I must have, I must have put a decimal point in the wrong place or something. Shit. I always do that. I always mess up some mundane detail."
29. Re:change control / management, anyone? by Chris+Mattern · 2009-10-13 06:08 · Score: 1
  
  Then why did they stop doing it?
  Actually, I'll tell *you* why they stopped doing it: because Linus realized he was doing by hand a job that could be done much better by machine.
30. Re:change control / management, anyone? by yffe · 2009-10-13 06:09 · Score: 1
  
  I seriously hope someone is fired or loses a contract over this.
  No, they got cake.
31. Re:change control / management, anyone? by vlm · 2009-10-13 06:10 · Score: 1
  
  I seriously hope someone is fired or loses a contract over this.
  It seems a silly idea to fire somebody just after having invested $(whatever_this_snafu_is_supposed_to_have_cost) into his education.
  Disagree... Obviously that file was being maintained by hand, BS press releases about scripts to the contrary. So the failure was at the management level for allowing such a crazy working procedure with no testing infrastructure at all. The only "education" the peon got was "typos cause problems", not exactly a Nobel prize winning contribution to human knowledge (although in comparison to a recent winner...) Since management doesn't make mistakes, and someone has to be the fall guy... the excuse will probably be "procedure stated no typos allowed".
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
32. Re:change control / management, anyone? by Krneki · 2009-10-13 06:11 · Score: 1
  
  Chill out dude. Go got a beer or a coffee, life is too good to waste it complaining about problems.
  
  And if you get so emotional for 30min of Internet downtime you will probably die out of stress too soon.
  
  --
  Love many, trust a few, do harm to none.
33. Re:change control / management, anyone? by Verdatum · 2009-10-13 06:24 · Score: 1
  
  10 PRINT "Please manage airplane fuel." 20 GOTO 10
34. Re:change control / management, anyone? by rs79 · 2009-10-13 06:39 · Score: 1
  
  It's not "a" dot, it's "every" dot. A bad script adn DNSSEC are to blame. Note that this is version 4 (5?) of dnssec. The earlier ones just didn't work.
  And there's a real bad gotcha in the current one they haven't found yet that has still to raise it's ugly head. In time.
  
  --
  Need Mercedes parts ?
35. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 06:40 · Score: 0
  
  Sweden porn?
  IKEA instruction manuals?
  Is there a difference between the two?
36. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 06:41 · Score: 0
  
  And your a...
  You're fired again!
37. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 06:42 · Score: 0
  
  I think the big failure here is that anyone is ever editing the file by hand. It should be created programatically and edited only with a tool so that an error like this can never happen. (Of course, other errors are possible; now you have to vet your code. But the tool need not be complex, and in fact should be small enough to be provable if you so desire.)
  I agree, but I'll also be a monkey's uncle when free software is designed this way.
38. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 07:07 · Score: 0
  
  > IKEA instruction manuals?
  Yeah, but only those written in swedish language.
39. Re:change control / management, anyone? by kirillian · 2009-10-13 07:14 · Score: 1
  
  F*** You! I right code
  
  we right the requirement down
  I think I found the reason why you keep getting those airplane system parts back (right -> write)
  Seriously though, I think you just forgot your /sarcasm tag...
  My dad repairs airplane systems as well...he works with diagnosing/repairing/redesigning those circuit boards on the fly...they come in, like you said, late in the week, with that Friday deadline...then again...my boss likes to call up 5 minutes before go time, and ask me, "Can you just change this for me right quick?" That wouldn't bother me so much if people realized that something like that just ASKS for errors and bugs, especially the more complicated something is...No matter how careful the programmer and no matter how many unit tests you have, trying to code something in five minutes just is a bad habit to be in...it doesn't give you the time to think about various extreme cases and scenarios that could crop up.
40. Re:change control / management, anyone? by Blakey+Rat · 2009-10-13 07:55 · Score: 1
  
  at 2am, I, and most mammals, are not at their mental best,
  I'm a black-footed ferret, you insensitive clod!
  
  --
  Comment of the year
41. Re:change control / management, anyone? by bertok · 2009-10-13 11:42 · Score: 1
  
  I think the big failure here is that anyone is ever editing the file by hand. It should be created programatically and edited only with a tool so that an error like this can never happen. (Of course, other errors are possible; now you have to vet your code. But the tool need not be complex, and in fact should be small enough to be provable if you so desire.)
  I agree, but I'll also be a monkey's uncle when free software is designed this way.
  What does this failure have to do with free software? If anything, it should be easy.
  Even if you have an open source DNS server that uses text files, a major DNS registrar should be automating the hell out of it. I'm struggling to think of a reason why you wouldn't generate all your DNS records from a database. The files aren't that complicated, and they're essentially tabular data anyway.
  I once saw an admin go on about how much 'better' Linux DNS servers were, then spend 5 hours hunting typos in the DNS config and zone files. Eventually he got fed up, and then I took over and spent about 5 minutes clicking "next, next, next" to get a Microsoft AD DNS up and running, flawlessly. The difference is that AD builds most of the configuration automatically, gives no opportunity to use invalid zone files, and stores entries in a database. There is just no reason a large DNS registrar couldn't implement the same with a few days of scripting something around a database.
42. Re:change control / management, anyone? by turbidostato · 2009-10-13 12:53 · Score: 1
  
  "I would expect that at the TLD level, a change to a configuration file would have to be inspected by someone AND run through some syntax-checking scripts..."
  Expect price and time-to-activation increase for second level domains way beyond current status then.
  "DNS servers (and individual computers!) cache negative results."
  Yeah, but in practice only for individual resources, not whole domains, since negative answers from authoritative sources must include SOA references as per RFC2308.
  "Anything anyone did a query on during those 30 minutes will be negatively cached by their system and their local DNS server"
  Now you know what happens when you are in a hurry and ask for a to-be-activated resource prior to its inclusion on the zone.
  "but it's still going to seriously impact traffic to many, many sites, especially for everyone outside Sweden."
  The fact is, well, it won't.
43. Re:change control / management, anyone? by turbidostato · 2009-10-13 12:59 · Score: 1
  
  "Then why did they stop doing it?"
  Because it didn't scalate not because Linus thought his previous procedure made kernel quality lacking.
44. Re:change control / management, anyone? by Eil · 2009-10-13 13:13 · Score: 1
  
  I'm no DNS expert, but I can't fathom why negative responses are cached at all. You have many, many more requests for valid domains than you do for invalid ones and the vast majority of the invalid ones are one-off typos. I just don't see what the benefit is. We could do away with an entire class of sysadmin headaches if all resolver software configuration and network policies defaulted to not caching negative responses.
45. Re:change control / management, anyone? by Anonymous Coward · 2009-10-13 14:01 · Score: 0
  
  Yeah ok dumb spic. What do you know about IKEA or Sweden. I am pretty sure you're thing is Home Depot. So just make your burritos and leech on our free healthcare and get off of slashdot. No one values your opinion because we're not talking about rice and beans, we're talking about real-technical-computer-stuff. Please leave.
46. Re:change control / management, anyone? by jonaskoelker · 2009-10-13 14:16 · Score: 1
  
  Running part of that kind of infrastructure without change control would be like trying to manage the kernel source tree with cvs.
  FTFY ;-)
47. Re:change control / management, anyone? by amorsen · 2009-10-13 19:07 · Score: 1
  
  Because Larry McVoy convinced Linus that version control could be automated in a useful way. Also, it helped for legal reasons during the SCO case.
  Not that version control isn't useful, especially after the switch to git which made git bisect available to the unwashed masses.
  
  --
  Finally! A year of moderation! Ready for 2019?
48. Re:change control / management, anyone? by jotaeleemeese · 2009-10-13 23:58 · Score: 1
  
  "Excessive paperwork like 30 min to fill out a change request form to do something like make a 30 second edit to a config file and sighup a daemon is stupid"
  It seems stupid, until one day you do it without the controls, you break somebody's vital process, and had to start with the explanations.
  If you are working in a real business with real money or reputation to be lost, telling people that you are messing with their machines is a damn good idea, even if you think reconfiguring a daemon is nothing.
  
  --
  IANAL but write like a drunk one.
49. Re:change control / management, anyone? by davebooth · 2009-10-14 01:04 · Score: 1
  
  Agreed it has to be documented but a decent sysadmin or infrastructure architect is not a cheap resource - You dont want your most skilled and expensive staff doing stuff that is simply i-dotting and t-crossing and more importantly not in their core competencies. I never argued against change control itself, I wouldnt want to have responsibility for anything critical in an environment without it. It does have to be practical though.
  For example, the best guy I ever worked for realized this and while we still had the monolithic and byzantine change management system, the word from the boss was "for non-emergency changes, email my secretary who will handle the forms and stuff. If questions come back you still need to answer them but I dont want you wasting your time over some auditors quibble over whether something is correctly coded for the type of service request or not" - effectively dividing up the work on the process so that the staff who were best trained to handle a particular part of it did so. Perhaps unsurprisingly, the teams under this guy had the best record for change management compliance in the entire company.
  It's very much like security - if it's easy to comply with a policy, everybody will. If it's hard then you're giving folks an incentive to look for loopholes and work around it. Like security change control is an essential component of managing systems and networks but you cant afford to change manage yourself into total paralysis any more than you want to secure a server by shutting it down and unplugging it.
  
  --
  I had a .sig once. It got boring.
50. Re:change control / management, anyone? by Anonymous Coward · 2009-10-15 03:36 · Score: 0
  
  Hey, its my racist troll again!
  How are you, pinche gringo pendejo? I had missed you!!
So I guess it's... by 6Yankee · 2009-10-13 04:21 · Score: 5, Funny

...borked!
1. Re:So I guess it's... by Anonymous Coward · 2009-10-13 04:26 · Score: 0
  
  If it was IS (Iceland), then yes.
2. Re:So I guess it's... by vandelais · 2009-10-13 04:28 · Score: 1
  
  I'm chopping up the zone files if that's ok with you (tosses random shyte over shoulder)
  We'll scoop up all the trailing dots and put them in the stew
  BORKBORKBORK!
  
  --
  Game: Player 'Donald J Trump' now has AI skill level 'experimental'.
3. Re:So I guess it's... by Bazman · 2009-10-13 06:22 · Score: 1
  
  Iceland? That would be BjorkBjorkBjork surely?
  This is a Muppets' Swedish Chef reference.
4. Re:So I guess it's... by Verdatum · 2009-10-13 06:27 · Score: 1
  
  I can't believe I had to scroll through this many comments to find the first BORK joke! I was starting to get nervous!
Let me be the first to say: by Anonymous Coward · 2009-10-13 04:23 · Score: 0

bork, bork, bork...
Ah, the joy of automated oopsies. by palegray.net · 2009-10-13 04:23 · Score: 1

One missing character, repeated a whole lot of times, results in an entire TLD going offline. Awesome.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
unless you are swedish by circletimessquare · 2009-10-13 04:27 · Score: 1

i don't think you have a right to call this no big deal
the internet is becoming more and more vital to our lives
its "no big deal" until you need to know something off the internet right now, high stakes

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:unless you are swedish by CharlyFoxtrot · 2009-10-13 04:32 · Score: 3, Insightful
  
  its "no big deal" until you need to know something off the internet right now, high stakes
  I need to know what a fourteen year old thinks about copyright law and I need to know it NOW !
  
  --
  If all else fails, immortality can always be assured by spectacular error.
2. Re:unless you are swedish by Hyppy · 2009-10-13 04:35 · Score: 3, Insightful
  
  The Internet was started as, and always has been, a "best effort" network. If a packet gets through, great. If not, well, it's not the end of the world. People have tried to code more and more resilient protocols on top to be as robust as possible, but in the end it's a very fragile system that can go down quite easily.
  
  Anything sufficiently "high stakes" shouldn't rely on an unreliable medium.
3. Re:unless you are swedish by clemdoc · 2009-10-13 04:40 · Score: 1
  
  In which case you should have been thinking about taking your own precautions.
4. Re:unless you are swedish by CannonballHead · 2009-10-13 04:43 · Score: 2, Funny
  
  If a packet gets through, great. If not, well, it's not the end of the world.
  Sounds like a lot of cities' approaches to freeway systems/traffic control.
5. Re:unless you are swedish by medlefsen · 2009-10-13 05:08 · Score: 1
  
  What are you talking about? Yes, for a single packet it's best effort, but you're ignoring all the other technologies and protocols that make up the internet. Assuming there is *some* route to the destination and enough bandwidth to support the extra packets that come from resending large amounts of lost packets and the Internet will always work. Don't confuse the low level architecture with the reliability of the entire infrastructure. Of course, all of that is irrelevant to this particular problem because this wasn't a connection problem but a software configuration error.
6. Re:unless you are swedish by Gilmoure · 2009-10-13 05:19 · Score: 2, Funny
  
  Cache your porn, folks. Just sayin'.
  
  --
  I drank what? -- Socrates
7. Re:unless you are swedish by Anonymous Coward · 2009-10-13 05:54 · Score: 0
  
  I never noticed that anything was down...
  hmm slashdot.org wikipedia.org mywebmailthatIwontslashvertise.fm thepiratebay.org Guess only my online bank and local news source use .se , didn't have need for either at the time. /cheers from the polarbears
8. Re:unless you are swedish by camperdave · 2009-10-13 06:08 · Score: 1
  
  If a packet gets through, great. If not, well, it's not the end of the world.
  
  Tell that to the "Operation SpoilSport" computers running the missle silos.
  
  --
  When our name is on the back of your car, we're behind you all the way!
9. Re:unless you are swedish by Verdatum · 2009-10-13 06:20 · Score: 1
  
  Cache your Swedish porn, at the least.
10. Re:unless you are swedish by an+unsound+mind · 2009-10-13 07:28 · Score: 1
  
  And if you need the internet so badly, just DNS going down shouldn't change much anything.
11. Re:unless you are swedish by Hyppy · 2009-10-13 12:05 · Score: 1
  
  I'm not saying that the entire internet infrastructure isn't reliable, it's just not "high stakes" (which I read as life-or-death) reliable.
sweden is in scandinavia which is thule by circletimessquare · 2009-10-13 04:32 · Score: 1

http://en.wikipedia.org/wiki/Thule
we all know that thule is the ends of the earth
so none of us should be surprised. it should have been anticipated that sweden would drop off the earth at some point. today's that day apparently

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The trailing dot! by Anonymous Coward · 2009-10-13 04:36 · Score: 0

Well then, the title should be: Entire .SE . TLD Drops off the internet
Swedish Nameservers Bork Bork Bork'd! by Anonymous Coward · 2009-10-13 04:36 · Score: 0

Film at Eleven.
somewhere in sweden: by nimbius · 2009-10-13 04:36 · Score: 2, Funny

an admin has popped back from lunch and asked, "hey guys did someone turn my computer off while i was gone? there was a file i was working on......"

--
Good people go to bed earlier.
DNS is the problem by cthulhuology · 2009-10-13 04:37 · Score: 4, Interesting

It still boggles my mind that anyone thought zone files are a good idea. The file format is so damn brittle, that a single byte can spell disaster. On top of that, the hierarchical naming structure presents an inherent systemic risk for all sub-domains as exhibited by this .se fiasco. Nevermind the injection attacks, Pakistan taking out Youtube, and the rest, you have organizations like Verisign which profit immensely off of keeping the system broken. And don't even bother mentioning DNSSEC, as it still doesn't resolve this fundamental issue. The next systemic fuckup will simply be a signed fuckup.
1. Re:DNS is the problem by mypalmike · 2009-10-13 04:46 · Score: 1
  
  And your robust solution to a scalable global directory of name-to-ip address mapping is... ?
  
  --
  There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
2. Re:DNS is the problem by upside · 2009-10-13 04:49 · Score: 3, Insightful
  
  Except the Pakistan affair was about the BGP routing protocol. I agree the file format is nutty, though.
  I can't think of a better alternative to the hierarchical system, perhaps you have a suggestion. A flat namespace would be an administrative impossiblity, not to mention the stress it would put on name servers. Increasing the number of TLDs would lessen the impact of a single failure, though.
  
  --
  I'm sorry if I haven't offended anyone
3. Re:DNS is the problem by RalphSleigh · 2009-10-13 04:49 · Score: 2, Insightful
  
  Pakistan taking out Youtube had absolutely nothing to do with DNS, they wrongly propagated a BGP announcement for the youtube IPs outside of Pakistan, so about 1/3 of the internet routed traffic into their black hole instead of to Youtube. Pretty effective blocking had they kept it internal, but they didn't.
  
  --
  Come as you are, do what you must, be who you will.
4. Re:DNS is the problem by Anonymous Coward · 2009-10-13 04:50 · Score: 5, Funny
  
  Regedit32.exe
5. Re:DNS is the problem by Skuld-Chan · 2009-10-13 05:25 · Score: 2, Informative
  
  Well in the 1980's when the RFC was written for zone files (1034/1035) it probably sounded like a perfectly sound way to configure this sort of thing, same with DNS in general (RFC's for which were also written in the 1980's).
  If it were invented from scratch today I'm sure it would resemble something like LDAP.
  The fact we haven't had more mass DNS failures like this is actually surprising.
6. Re:DNS is the problem by divisionbyzero · 2009-10-13 05:27 · Score: 1
  
  It still boggles my mind that anyone thought zone files are a good idea. The file format is so damn brittle, that a single byte can spell disaster. On top of that, the hierarchical naming structure presents an inherent systemic risk for all sub-domains as exhibited by this .se fiasco. Nevermind the injection attacks, Pakistan taking out Youtube, and the rest, you have organizations like Verisign which profit immensely off of keeping the system broken. And don't even bother mentioning DNSSEC, as it still doesn't resolve this fundamental issue. The next systemic fuckup will simply be a signed fuckup.
  Yes, it's a shame you were still in diapers when this solution was developed. They could have benefited from your vast wisdom. Or maybe not, if you think the problem with YouTube in Pakistan was due to DNS rather than BGP.
7. Re:DNS is the problem by Anonymous Coward · 2009-10-13 05:28 · Score: 0
  
  What about DHT?
8. Re:DNS is the problem by bwalling · 2009-10-13 05:36 · Score: 2, Insightful
  
  You do recognize that most of the protocols and specifications running the Internet are decades old, right? The fact that they've lasted this long is really rather impressive.
  
  Besides, if we redesigned it now, it would be insanely complex and bloated, not to mention never fully implemented (CSS? ha!), as there would be too many parties "contributing".
9. Re:DNS is the problem by photon317 · 2009-10-13 05:38 · Score: 5, Informative
  
  Part of the problem with DNS these days, which your post exemplifies, is that from very early on "BIND's implementation of DNS", and "DNS The Protocol" have been mashed together and confused by the RFC authors (who were involved with the BIND implementation and had motive to encourage the world to think only in BIND terms) and basically everyone who ever used DNS in any capacity. Zonefiles are not implicit in DNS address resolution (neither for authoritative servers or recursive caches). They really aren't any part of the wire DNS protocol for resolving names. They *are* part of a wire protocol for secondary servers that slave zonefiles from primary servers, but even in that case it's really more a "BIND convention" than a necessity. Ultimately how you transfer a zone's records from a master server to a slave server is up to however those two servers and their administrators agree to do so. You can skip the AXFR protocol that uses zonefiles and instead do something else that works for both of you. Inventing a new method of slaving zone data is easy and doesn't involved much complicated rollout. Some people just rsync zonefiles for instance instead of using AXFR today.
  It's really frustrating (believe me, I've done it) when you try to implement a new DNS server daemon from scratch from the RFCs, and you have to wade through this mess of "what's a BIND convention that doesn't matter and what's important to the actual DNS protocol for resolving names on the wire".
  
  --
  11*43+456^2
10. Re:DNS is the problem by Anonymous Coward · 2009-10-13 06:00 · Score: 0
  
  It still boggles my mind that anyone thought zone files are a good idea. The file format is so damn brittle, that a single byte can spell disaster.
  What's a zonefile? I use Dynamic Update for all my DNS maintenance, you insensitive clod!
11. Re:DNS is the problem by Kynde · 2009-10-13 06:07 · Score: 2, Interesting
  
  The file format is so damn brittle, that a single byte can spell disaster.
  You know what, so is ELF. Who said you should write zonefiles by hand let alone without any kind of syntax verification.
  Input syntax is never really an issue. You only ever lack the necessary tools or you are unable to use them properly. It can always be hidden behind a precompiler or whatever necessary.
  Hmmm... wait, termcap. I stand corrected.
  
  --
  1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
12. Re:DNS is the problem by rs79 · 2009-10-13 06:36 · Score: 1
  
  BIND was the spec for DNS for a while. But recently Vixie has washed his hands of that mess by saying "Don't use BIND as a spec".
  Like that helps Paul.
  
  --
  Need Mercedes parts ?
13. Re:DNS is the problem by rs79 · 2009-10-13 06:47 · Score: 1
  
  DHT. Thanks for asking. Efforts are already underway, quietly, so ICANN doesn't notice and cannot co-opt it. Oh, and name and address shortages? Thing of the past.
  The end of an era where artificial scarcity to promote a monopoly to make the insiders very wealthy is nearly at an end. http://forum.icann.org/lists/bc-gnso/msg00134.html
  I'm shocked nobody is asking "what have all those poeple done for 10 years and many many millions of dollars".
  
  --
  Need Mercedes parts ?
14. Re:DNS is the problem by bondjamesbond · 2009-10-13 07:23 · Score: 0
  
  WINS
  /s
15. Re:DNS is the problem by Anonymous Coward · 2009-10-13 10:41 · Score: 0
  
  /etc/hosts ;)
16. Re:DNS is the problem by Schraegstrichpunkt · 2009-10-13 11:00 · Score: 2, Interesting
  
  It gets worse. In 2007, Paul Vixie wrote an article in ACM Queue basically praising the vagueness of the DNS protocol specifications:
  
  From this overview, it is possible to conclude that DNS is a poorly specified protocol, but that would be unfair and untrue. DNS was specified loosely, on purpose. This protocol design is a fine example of what M.A. Padlipsky meant by “descriptive rather than prescriptive” in his 1984 thriller, The Elements of Networking Style (Prentice Hall). Functional interoperability and ease of implementation were the goals of the DNS protocol specification, and from the relative ease with which DNS has grown from its petri dish into a world-devouring monster, it’s clear to me that those goals were met. A stronger document set would have eliminated some of the “gotchas” that DNS implementers face, but the essential and intentional looseness of the specification has to be seen as a strength rather than a weakness.
  
  --
  http://outcampaign.org/
17. Re:DNS is the problem by bertok · 2009-10-13 11:52 · Score: 1
  
  It gets worse. In 2007, Paul Vixie wrote an article in ACM Queue basically praising the vagueness of the DNS protocol specifications:
  
  From this overview, it is possible to conclude that DNS is a poorly specified protocol, but that would be unfair and untrue. DNS was specified loosely, on purpose. This protocol design is a fine example of what M.A. Padlipsky meant by “descriptive rather than prescriptive” in his 1984 thriller, The Elements of Networking Style (Prentice Hall). Functional interoperability and ease of implementation were the goals of the DNS protocol specification, and from the relative ease with which DNS has grown from its petri dish into a world-devouring monster, it’s clear to me that those goals were met. A stronger document set would have eliminated some of the “gotchas” that DNS implementers face, but the essential and intentional looseness of the specification has to be seen as a strength rather than a weakness.
  Correlation does not imply causation.
  DNS didn't grow to be huge because it was designed loosely, it happened to grow big because coincidentally the Internet took off and become huge, and the Internet happened to use DNS. It would be a bit of a stretch to say that the Internet become the size it is today because one of the many underpinning protocols and standards was loosely specified.
  The Internet could have used any number of alternate name lookup systems, and it would have grown to its current size just fine. The only element of DNS design that really helped at all was its hierarchical nature, which helped it scale.
18. Re:DNS is the problem by mypalmike · 2009-10-14 05:43 · Score: 1
  
  DHT doesn't remove the management problem.
  
  --
  There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
It was goat.se's fault by Anonymous Coward · 2009-10-13 04:42 · Score: 0

His "cx" blocked the tubes
so.. by PPNSteve · 2009-10-13 04:52 · Score: 1

the trailing dot got /.'d?

--
PPN
More signs that the Idiocracy is fast approaching by Eggplant62 · 2009-10-13 04:52 · Score: 0

Computers only do what the programmer tells them to do. Way to go, Sven, you fubared that script, eh?
Minimally-Intrustive Cleanup (BIND-specific) by Anonymous Coward · 2009-10-13 04:59 · Score: 0

1. rndc dumpdb -all
2. grep some variant of "NS.*\.se\.se" out of the dump file
3. rndc flushname for each one
This works for relatively-small caches. In my case, only 40 flushnames were necessary. It might not be an option to do manually for big huge ISP caches, although it could be automated quite easily.
Why MaraDNS uses a special zone file format by MaraDNS · 2009-10-13 05:10 · Score: 2, Interesting

This is why MaraDNS (my open-source DNS server) uses a special zone file format.
MaraDNS uses a zone file format that, for the most part, resembles BIND zone files. However, the zone file format has some minor differences so the common "Forgot to put a dot at the end of a hostname" and the "forgot to update the SOA serial number" problems do not happen; a domain name without a dot at the end in a syntax error in MaraDNS' zone file parser; if you want to end a hostname with the name of the zone in question, this has to be explicitly specified with a .% at the end of the hostname.
There is also a mechanism for automatically generating SOA records, or having a SOA record where the serial is automatically updated based on the "last write" timestamp for the zone file.
For people who want to use their BIND zonefiles, there is included a Python script that converts a BIND zonefile in to MaraDNS' similar zone file format.

--
MaraDNS is an open-source DNS server.
1. Re:Why MaraDNS uses a special zone file format by grumbel · 2009-10-13 06:09 · Score: 2, Insightful
  
  Can MaraDNS handle IPv6 now? Last time I used it I had to ditch it in end as IPv6 support was lacking.
2. Re:Why MaraDNS uses a special zone file format by MaraDNS · 2009-10-13 06:17 · Score: 1
  
  Yes, MaraDNS supports IPv6. There are some hoops you need to jump through to do it, but it's there and it works depending on what you use MaraDNS for.
  The best place for MaraDNS support is on the MaraDNS mailing list. To join the mailing list, send an email to list-request {at symbol thingy} maradns.org with the word "subscribe" in the subject and body of the message.
  If you want to discuss MaraDNS IPv6 support further, or have more questions, please continue this discussion on the mailing list.
  
  --
  MaraDNS is an open-source DNS server.
3. Re:Why MaraDNS uses a special zone file format by Anonymous Coward · 2009-10-13 10:13 · Score: 0
  
  For people who want to use their BIND zonefiles, there is included a Python script that converts a BIND zonefile in to MaraDNS' similar zone file format.
  Oh man, another step for me to perform when updating one of my zones? Let's automate that last one through a script!
NSD by funkboy · 2009-10-13 05:12 · Score: 1

If they were using NSD like the RIPE does for K root, the zone compiler wouldn't have compiled the faulty zone file and the parser would have made noise about it. NSD is very hard to break as the zone files must be compiled into a database before loading. The parser simply refuses to compile when there are zones with errors in them, so the database it creates will never be bogus (similar to the way a compiler won't create an executable if the source code violates its rules).
There's møre to Sweden than .se by 93+Escort+Wagon · 2009-10-13 05:45 · Score: 5, Funny

Wi nøt trei a høliday in Sweden this yer?
See the løveli lakes
The wonderful telephøne system
And mani interesting furry animals

--
#DeleteChrome
1. Re:There's møre to Sweden than .se by rainmaestro · 2009-10-13 06:03 · Score: 4, Funny
  
  We apologise for the fault in the previous post. Those responsible have been sacked.
2. Re:There's møre to Sweden than .se by Anonymous Coward · 2009-10-13 09:15 · Score: 0
  
  Mynd you, møøse bites Kan be pretty nasti...
3. Re:There's møre to Sweden than .se by Anonymous Coward · 2009-10-13 10:51 · Score: 1, Funny
  
  We apologise again for the fault in the previous post. Those responsible for sacking the people who have just been sacked have been sacked.
oop.se by Anonymous Coward · 2009-10-13 05:47 · Score: 0

Maybe time to write up a wee little test suite as part of the zone build process, hmm?
named-checkzone? by natxo+asenjo · 2009-10-13 05:53 · Score: 1

Didn't they use something like this before reloading the zone? If the mistake was a missing '.' it should've given you big warnings ...
http://ftp.isc.org/www/bind/arm95/man.named-checkconf.html

--
Natxo Asenjo
OMG... by Anonymous Coward · 2009-10-13 05:53 · Score: 0

møøsë bit the sÿstëm ædministratør!
oops by natxo+asenjo · 2009-10-13 05:54 · Score: 1

obviously mean http://ftp.isc.org/www/bind/arm95/man.named-checkzone.html

--
Natxo Asenjo
Nö There's Nöt! by andersh · 2009-10-13 06:16 · Score: 1

The Swedish alphabet does not have the letter "ø", it's written "ö" in Swedish. The letter "ø" is found in Danish and Norwegian.
The letter is NOT a ligature or a diacritical variant of the letter o! The vowel it sounds most like is the vowel in "bird" or "hurt".
What's a " .SE TLD"? by Hurricane78 · 2009-10-13 06:18 · Score: 1

That's how it looked like in Thunderbird's RSS reader.

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Re:There goes my favorite web site ! [Goat...] by Tablizer · 2009-10-13 06:20 · Score: 2, Funny

Don't worry, there's plenty of mirrors......unfortunately.

--
Table-ized A.I.
The Trailing Dot by Zarf_is_with_you · 2009-10-13 06:23 · Score: 1

How many times have we all forgotten that Dot. :)
Funny how the software tells you that the dot is missing, why can't the software just fix it by now NAMED/BIND deserves a A.I. by now for sure.
Re:More signs that the Idiocracy is fast approachi by Darinbob · 2009-10-13 06:28 · Score: 1

So then, logically, what we need are computers that can think for themselves Then we could just let them run things for us, without human error. I think I'll start by just connecting these two supercomputers together. What could go wrong...
Upgrade .com to .exe by argent · 2009-10-13 06:34 · Score: 1

Regedit32.exe
I agree. It's long past time for the .com domain to be upgraded to .exe.
1. Re:Upgrade .com to .exe by shutdown+-p+now · 2009-10-13 09:00 · Score: 1
  
  I agree. It's long past time for the .com domain to be upgraded to .exe.
  No, .exe is the new domain for malware and trojan distribution websites. Did you miss the recent ICANN memo?
It happens by fluor2 · 2009-10-13 06:58 · Score: 1

Because Unix admins never test-run their code.
There are tools for this... by Anonymous Coward · 2009-10-13 07:10 · Score: 0

I'd recommend Webmin for managing BIND, which has both syntax checking and audit logs, so if someone borks something you can quickly revert your zone file back the way it was before.
A moose once bit my DNS... by AliasMarlowe · 2009-10-13 07:32 · Score: 1

...and the DNS bit everyone else.

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Re:No There's Not! by bloobloo · 2009-10-13 07:32 · Score: 1

Hand in your geek card: http://www.youtube.com/watch?v=4I2qWq9L6rw#t=1m00
It's worse than that by Anonymous Coward · 2009-10-13 08:54 · Score: 1, Interesting

Obligatory Dota song
3 hours, not 24 by ScaryPhil · 2009-10-13 09:29 · Score: 1

BIND's max-ncache-ttl setting defaults to 3 hours for a good reason. Negative caching TTLs are capped to avoid everlasting NXDOMAIN records sitting in recursive caches.
As they should. (A finnish software engineer here) by Anonymous Coward · 2009-10-13 09:33 · Score: 0

And I know that if I would be fired for a typo that caused no major problems to anyone, I would not stop harassing my union's lawyers until they offered me some help.
Whether a coder, a manger or someone else is to blame, he (or she) could well have worked over a decade with little to no major screw ups and then makes one error (might forget to take care of one procedure due to stress, hurry, personal problems, etc.) once, resulting in nothing worth noting (30 min of downtime for TLD for people whose DNSs haven't cached the data)...
Someone getting fired just for this would be just absurd.
not the key by Koutarou · 2009-10-13 10:22 · Score: 1

What a disappointment, I saw the title and was thinking DNSSEC key-rollover screwup. THAT would have made for a righteous thread.
It's only Sweden ... by Dark$ide · 2009-10-13 10:41 · Score: 1

It doesn't matter. .SE is only Sweden. If .SEX fell off; then the whole Internet would melt down into a small singularity.

--
Sigs. We don't need no steenking sigs.
Simple solution by straponego · 2009-10-13 12:48 · Score: 1

Everybody set all your TTLs to 1.
internet? by Anonymous Coward · 2009-10-13 13:12 · Score: 0

what's that?
XD
the internet is like a swedish bikini model by gemada · 2009-10-13 16:58 · Score: 1

you don't realize how valuable they are until they go down on you.
Internet != web by tequila13 · 2009-10-13 22:34 · Score: 1

From TFA:

The entire Swedish Internet effectively stopped working at this point.
That's incorrect. Only domain lookups weren't working. The Internet was working fine.
Whay should somebody be fired for this? by jotaeleemeese · 2009-10-13 23:56 · Score: 1

I am sick and tired of this kind of knee jerk reaction.
Unless is somebody that consistently has been messing things up and has been warned, I don't see why this should be a firing somebody issue.
It is not like we are all perfect, right?. RIGHT?

--
IANAL but write like a drunk one.
movie and music industry by cre_slash · 2009-10-14 04:30 · Score: 1

so this is not something done by MPAA or RIAA to prevent people from accessing thepiratebay? :P
Turn it over to a woman to manage by Artifex · 2009-10-14 18:11 · Score: 1

Guarantee she'd detect a missing period earlier.

--
Get off my launchpad!