[dns-operations] caches only resetting TTL? was Re: Where to find "DNS resolution path corruption"?

Mark Andrews Mark_Andrews at isc.org
Tue Feb 26 22:57:26 UTC 2008


> in yet another attempt to fool the world into thinking that the BIND Company
> aren't a bunch of nazis marching shoulder to shoulder, i'm going to pick this
> as my moment to argue with another BIND Company employee about a technical
> detail.
> 
> > 	This is just the result basic DNS management practices not being
> > 	followed.
> > ...
> > 	In all cases old servers should be deconfigured.
> 
> i am aware of many "stealth slave" relationships, for example, all of the
> root name servers are authoritative for root-servers.net even though only
> four of them are listed in its NS RRset.  the goal in these relationships
> is to be able to include A RR glue in additional data sections with TTL's
> that are not ticking down, and to have none of the A RRs referred to by
> the authority section be missing in the additional data section (other than
> for the reason of there not being enough room for all of them.)
> 
> the difference between a zone which was never deconfigured from an authority,
> and a server deliberately having a "stealth slave" zone, is one of intent,
> which cannot be detected on the wire.  there is no correctness issue here,
> and no way to apply the normal referents of the word "should" (as above).

	The stealth slave server serves the *same* zone content at
	the authoritative servers, sans transmission delays.

	The problem that triggered this discussion is that people
	leave servers running that serve *different* (old) zone
	data.  You will note that the old server will become a
	stealth slave server once the TTL's expire.  It will also
	expire the zone if one it's master goes away assuming there
	are no loops in the zone transfer graph.

	The steps in the description of how to manage changes in
	nameservers, if followed, don't leave you with servers
	serving differnet zone content.  If they just turn the old
	master into a slave all the servers will have the current
	zone content and there would be no problems except the
	effective expire interval will increase as the maximum
	transfer path length has increased.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list