nanog mailing list archives

Re: dns authority changes and lame servers

From: Paul Vixie <vixie () vix com>
Date: 19 Oct 2007 00:03:42 +0000


mike () rockynet com (Mike Lewinski) writes:

Justin Scott wrote:

I suppose the problem with having an official list to query would be
getting all of the various registries to participate and keep it
regularly updated.  I personally qualify this as a slight inconvenience,
but I'm not sure I would call it a flaw in the DNS system.


If we just call DNS a distributed database, then it is easy to see that 
when the keys (glue at root) get updated, the relations to those keys 
*should* all reflect that change.  ...

And I'll admit, I'm not sure how to properly fix it either. My first 
thought was a BIND directive to "expire-stale-zones <interval>;" so that 
every <interval> the server might check to be sure it is still auth, and 
if it has found authority changed, would stop giving out AAs for it. But 
I see all kinds of operational issues arising from that too (such as, 
how do we gracefully setup new customer's zone before it has 
transitioned here).


as duane said, it's possible to accomplish this with creative nagios plugins.
however, i agree that it's something BIND should do, to be comprehensive.  if
someone is excited enough about this to consider sponsoring the work, please
contact me (vixie () isc org) to discuss details.

Really, in my ideal Internet, once my server was notified that it was no 
longer authoritative, it would have an option to do a reverse xfer to 
the new auth servers (who would then be free to accept/reject the old 
information as necessary - can't count the number of times I've tried to 
get customers to provide zone file records in advance and failed because 
they don't know how/where to get them from). But that's an ideal 
Internet that will never exist, I know.


it's because we didn't know exactly how to scope this problem that RFC 2136
does not permit the insertion or deletion of authority zones.  noting that
the ideal internet you want is within our grasp if we can only define it and
sponsor it, i recommend taking up this thread on namedroppers () ops ietf org or
dns-operations () lists oarci net.
-- 
Paul Vixie

Current thread:

dns authority changes and lame servers Mike Lewinski (Oct 18)
- RE: dns authority changes and lame servers Justin Scott (Oct 18)
  - Re: dns authority changes and lame servers Mike Lewinski (Oct 18)
    - Re: dns authority changes and lame servers Paul Vixie (Oct 18)
    - Re: dns authority changes and lame servers Simon Waters (Oct 19)
  - Re: dns authority changes and lame servers David Ulevitch (Oct 18)
    - RE: dns authority changes and lame servers Justin Scott (Oct 18)
    - Re: dns authority changes and lame servers Paul Vixie (Oct 18)
    - unsuc schahzad (Oct 18)
    - Re: unsuc schahzad (Oct 18)
  - Re: dns authority changes and lame servers Jack Bates (Oct 18)
    - Re: dns authority changes and lame servers Duane Wessels (Oct 18)
- Re: dns authority changes and lame servers chuck goolsbee (Oct 18)
  - Re: dns authority changes and lame servers Rob Thomas (Oct 18)

(Thread continues...)