

5 out of 7 .io nameservers appear to be down - sajal83
https://pulse.turbobytes.com/results/55951090ecbe406935000172/

======
sena
[https://gigaom.com/2014/06/30/the-dark-side-of-io-how-
the-u-...](https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-k-is-
making-web-domain-profits-from-a-shady-cold-war-land-deal/)

"The rights for selling .io domains are held by a British company called
Internet Computer Bureau (ICB), [...] The British government granted these
rights to ICB chief Paul Kane back in the 1990s. ICB gets to run .io “more or
less indefinitely, unless we make a technical mistake,” Kane told me. (ICB has
so far run a stable .io namespace. It should be noted that Kane is a respected
veteran of the infrastructure scene, and has been entrusted by ICANN with one
of the 7 so-called “keys to the internet”.)"

Ooops...

~~~
verandaguy
For those of us not up to date with the wheelings and dealings of
organizations such as ICANN, what are these 7 "keys to the Internet?"

~~~
ctz
DNSSEC root key shares.

------
jasoncartwright
"The dark side of .io: How the U.K. is making web domain profits from a shady
Cold War land deal"

[https://gigaom.com/2014/06/30/the-dark-side-of-io-how-
the-u-...](https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-k-is-
making-web-domain-profits-from-a-shady-cold-war-land-deal/)

~~~
teknologist
I think I trust even an ICB root server more than I'd trust one running on
that island

------
lewisheadden
They actually seem to work fine but you have to set the non-recursive bit.

    
    
      $ dig ns io @b.nic.ac +short
    
      ; <<>> DiG 9.8.3-P1 <<>> ns io @b.nic.ac +short
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached
      $ dig ns io @b.nic.ac +short +norec
      b.ns13.net.
      [... extracted for brevity]
      ns3.icb.co.uk.

~~~
kijeda
This is the correct answer. The monitoring tool is sending the wrong kind of
DNS queries to these servers, and these servers are filtering them out. You
can argue the servers should at least respond with an error, however they are
functioning correctly when you ask them for an authoritative response (i.e. a
delegation)

~~~
sajal83
(monitoring tool author here) Agree. Makes sense. We should have run this test
with RD bit unset.

But .. IIRC if RD is set when quering a non-recursive, it should respond
normally with authoritative response Recursion Available (RA) flag unset. It
does not mean it should drop the query totally.

~~~
jamiesonbecker
Dropping bad queries is often a DDoS countermeasure.

------
hopeless
Is there a table of TLD's ranked by nameserver reliability? It seems like a
useful thing for those of considering something more exotic

~~~
jlgaddis
I don't personally know of one (which isn't saying much) but that sounds like
an interesting thing to monitor. Maybe an HN'er who has written their own
monitoring system (and provides it as a paid service) could begin monitoring
queries/responses from the many TLD root name servers.

------
xnzakg
"i/o timeout"

That's ironic.

~~~
logicrime
What if the actual indian ocean timed out? That'd suck.

~~~
halviti
From your previous comment complaining about HN:

"The internet doesn't need another reddit, it's bad enough as it is."

Yet you insist on making comments that only belong on reddit. Can I convince
you to delete your account?

~~~
x0
Fair enough if you don't appreciate the comment, but asking someone to delete
their account is incredibly rude. There are much more tactful ways of telling
someone their attempt at humour is not appreciated.

------
Ken-B
There's a good 2004 documentary by famous film maker John Pilger on the topic
of Chagos: "Stealing A Nation".

Fully available on youtube, about 1h long:
[https://www.youtube.com/watch?v=0zhGvId4fcc](https://www.youtube.com/watch?v=0zhGvId4fcc)

It seems that now also startup companies are (unwillingly, I presume)
contributing to this lasting injustice.

------
poooogles
5 out of 7 have been down for ages, literally ages.

~~~
bhouston
How do you know?

~~~
OedipusRex
Not sure if this is what OP is getting at but I do believe some of these .io
domains are failed projects that are no longer pointing to an active web
server.

~~~
blackoil
These are tld servers, not domains. TLD server are root dns servers, acting as
source of truth for the domain names.

~~~
kijeda
No, a root server is shorthand for the authoritative name servers that serve
the root zone of the DNS. Here is the list:
[http://www.iana.org/domains/root/servers](http://www.iana.org/domains/root/servers)

Servers configured to be a source of truth are called "authoritative name
servers".

There is no technical distinction between "TLDs" and "domains", they are all
just domains, they are just different levels of the DNS hierarchy.

------
sajal83
[https://pulse.turbobytes.com/results/5595115aecbe40693500017...](https://pulse.turbobytes.com/results/5595115aecbe406935000175/)
better link to show that its not a local resolver issue.

------
jlgaddis
... and the two remaining nameservers look to be run by the same organization;
the /16 that they both reside in (49.212/16) is being announced by "Sakura
Internet" (AS9371).

It looks like they do have multiple upstreams, though.

------
bezalmighty
My .io has been up and down about 25 times in the last 15 hours. The downtime
has been about 1.0 - 2.5 minutes each occasion, with a down period of 1 hour
48 minutes at the start.

The latter downtimes look planned, as they are for exact periods (1 minute 0
seconds, 1 minute 30 seconds, 2 minutes 30 seconds, etc)

Here's an extract from the log with timing incase anyone's interested:
[https://gist.github.com/anonymous/ed37826bc66c23d6c791](https://gist.github.com/anonymous/ed37826bc66c23d6c791)

~~~
jlgaddis
What are you using for monitoring / what generated these logs?

Unless your monitor is attempting a connection every, e.g., one second, you're
going to end up with the "exact periods" you describe (i.e., presumably your
monitor is only attempting to connect once every 30s).

Also, this would be more indicative of a problem with your web host, not the
.io root name servers, assuming the TTLs on your RRs are set to > 30s.

~~~
emilburzo
The message format looks like something from UptimeRobot.

------
rikkus
I was already slightly concerned about using getting a .cc domain for my email
address, due to it being a 'lesser' TLD and thinking this sort of thing might
happen. Are there ways to mitigate this risk in general, or is it something we
generally have to accept if we're not choosing .com domains?

~~~
josephmx
I think (but don't hold me to it), that country-ran (eg, .co.uk, .us) or major
TLDs are safe (eg, .net, org)

~~~
billyhoffman
I don't understand what you mean by "country-ran." .us and .uk are ccTLDs,
meaning they were created and recognized 2-3 decades ago by ICANN based on ISO
country and Territory codes. ccTLSs are among the oldest continually operating
TLDs. In fact, .io is a ccTLD.

But that doesn't make them "run by a country". .us is not run by the US
government. It is run by Neustar. There is not something that says Neustar
won't have poorly available/slow name servers, beyond that same statement that
the .io people said.

~~~
josephmx
I was under the impression that ccTLDs are administered/ran by the country
they belong to (eg, I thought .us was administered by the US government). It
sounds like I'm wrong though, my bad.

~~~
icebraining
Countries have the oversight, but they usually contract out its administration
to some company.

------
svckr
Am I the only one who noticed the mustache templates in <title>-tag while the
page was loading?

~~~
sajal83
Thats angularjs template... We need to put in some placeholder there.

~~~
jand
using <title data-ng-bind="pagetitle"></title> should eliminate the flicker

~~~
nkozyra
Alternately, ngCloak:

[https://docs.angularjs.org/api/ng/directive/ngCloak](https://docs.angularjs.org/api/ng/directive/ngCloak)

------
buster
And yet the internet keeps working.. :) Docker.io still resolves for me, and i
guess many others do?

~~~
sajal83
every y out of x times a DNS recursor will fail to resolve .io .... ratio of
y:x is based on complex srtt algorithms, and traffic levels. Not a big issue
for popular hostnames like docker.io because most recursives would have the
delegation in their cache.

------
josteink
But a .io domain sure hip! Can't go with something boring or traditional like
.com, .net or .org ;)

~~~
ianlevesque
That's because anything halfway human readable is taken under those TLDs.

~~~
icebraining
There are plenty of human readable domains available, they're just long.

------
thirdreplicator
I hope this is costing them lots of money for fucking up.

------
artur_makly
We seem to be POPing : http:/popteam.io

