Re: what the heck do i do now?

[Jon Lewis <jlewis () lewis org>]

On Thu, 1 Feb 2007, Paul Vixie wrote:

> > 1) maps.vix.com.        604800  IN      NS      .
>
> i've tried that.  the retry rate actually goes up rather than down.

That's pretty messed up.  I've tested both the strategies I suggested, and 
at least with both bind9 and DJB's dnscache, the caching name server will 
cache the NS, and in this (.) case, it won't ask the auth server(s) again 
for any subsequent queries in the former DNSBL zone (until the data 
expires from the cache).  You must be getting hit by some seriously broken 
DNS caches.  I don't have them handy to test, but I wonder what bind8 and 
bind4 do?  After all, the sorts of people who setup servers to use a DNSBL 
8 years ago and forgot about it, are the sorts who might still be running 
really old DNS server software.

> > 2) maps.vix.com.        604800  IN      NS      u1.vix.com.
> >     maps.vix.com.       604800  IN      NS      u2.vix.com.
> >     maps.vix.com.       604800  IN      NS      u3.vix.com.
> >     ... [as many as you like]
> >     u1.vix.com.         604800  IN      A       192.0.2.1
> >     u2.vix.com.         604800  IN      A       192.0.2.2
> >     u3.vix.com.         604800  IN      A       192.0.2.3
> >     ... [as many as you like]
>
> i hadn't thought of that.  i'll think seriously about it, thanks.

I prefer this method since it's non-destructive, but much more likely to 
be noticed than the immediate failure the queriers get with the . method.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________