FAQs about partial non-availability

No, there were no domain deletions. All domains remained unchanged in DENIC’s registration database.  A so-called zone file with technical information (DNS data) is created at regular intervals from this database, and is distributed by the nameservers.  It was only the distribution to some nameservers that caused problems.

The affected version of the .de-zone 2010051253 (created at 1:09 pm CEST) included the DNS data for all .de-domains (13672644).
Following the zone data update of the nameservers however, certain servers delivered correct data for 3837256 of the domains.  For all other domains non-existence was mistakenly asserted (so-called NXDOMAIN-Answer).

No. Since the DENIC domain database was not affected, DENIC’s other information services (whois, domain query, and domaincheck) delivered correct answers throughout.

Since not all .de DNS servers answered queries wrongly, and due to the fact that not every name resolution that includes a “.de” domain name queries the DENIC DNS servers for “.de”, not every user and not every name request (e.g., while browsing a web server) has been affected.

The DNS system makes extensive use of query-reply caching, so correct data for a domain name may still be available in the cache from a name resolution process.

Without this cached information, however, a user or process would wrongly have gotten the information, that the domain was not existent, resulting in interruptions of the used service (web, email, etc.)

In a web browser context, domains resolved to “not existent” trigger an error message of the actual web browser, indicating that the domain name in question does not exist or may have been spelled wrong.

Depending on the application, the domain name in question might have incorrectly been reported as “free” or “available”.

Depending on the Internet service provider used, web users might have been redirected to search engines or portals.

In certain circumstances, emails will not be delivered. In case the sender address domain allegedly does not exist, emails might be designated as spam and tagged or deleted.

In case the receiver’s domain name is affected by the faulty “NXDOMAIN” responses, handling in the Internet email systems is the same as with a mistyped receiver address: The email’s sender usually gets notified that the address in question does not exist, and that the email could not be delivered.

This happens in most cases (hence “usually”), where protocol compliant email systems are being used, and where the error message can be delivered to the sender’s email address (which could be affected by the above problem, too). Since the delivery of the error message is in most cases local to the sender’s systems – and needs no external domain lookup, possibility of this delivery can be assumed.

In case the receiver of the email validates the sender address for spam averting reasons, and the sender domain is deemed to be non existent, the email may be classified as spam and be rejected. Since this usually happens in the delivery process itself, the sender can be assumed to receive an appropriate error message from their own (outgoing) mail servers.

12 of the 16 locations for .de-nameservers delivered the incorrect NXDOMAIN-answers described. The servers “s.de.net” and “c.de.net” always answered correctly.  The same is true of the IPv6-nameserver in Frankfurt (f.nic.de).

DNS is an important component of the internet, upon which many other services build.  Therefore, it is perceiveable that other services, such as SIP, were affected.  It is barely possible to list all conceivable consequences, so we concentrated on the most important ones in these FAQs.

No. DENIC operates two redundant and independent data centres in Amsterdam (NL) and Frankfurt (D).  On May 11, a scheduled switch of the active data centre from Amsterdam to Frankfurt took place. Since it could not be guaranteed that in the scope of this switch the services offered by these Registry Service Locations (RSLs) would not suffer short interruptions, the switch was officially announced, http://www.denic.de/denic-im-dialog/mailinglisten/public-l.html?url=msg04446.xml.

The nameservice, in contrast, is provided at 16 locations world wide, including Amsterdam and Frankfurt, but is set-up independently of the registry service infrastructure.  Hence, DNS service was not affected by the switch of the RSLs.

No. DNSSEC is a protocol extension of the DNS that protects against certain forms of data falsification.  DENIC is currently operating a DNSSEC testbed to evaluate this technology.  For this purpose, a signed version of the .de-zone is offered on a separate infrastructure. The productive .de-zone is not signed with DNSSEC and an impact of the testbed on the productive environment is impossible. The incorrect answers are not associated with DNSSEC.

No. The protocol extension DNSSEC protects the DNS-data against change and falsification, in particular on the way from the authoritative nameservers, such as DENIC operates, to the resolvers and end systems.  DNSSEC is not capable of recognising or preventing errors in the initial distribution of the data to the nameservers.

It cannot be ruled out that queries have been diverted. This is actually depending on the settings of the respective Internet Service Provider.

Generally speaking, other TLDs have not been affected. However, the DNS is a widely branching, shared and redundant system, where multiple DNS servers are used for each domain’s name resolution process. Domains solely handled by DNS servers affected by the disturbance would have been affected in the way that no data (IP addresses for web and email servers, etc.) could have been ascertained. This would have lead to the non-availability of services to these domains and services therein.

No.  The problem described in http://blog.1und1.de/2010/05/13/routingprobleme-am-vatertag/ was independent of the DNS disturbance discussed here.