[dns-operations] SE and the value of having NS in more than one TLD
Sebastian Castro
sebastian at nzrs.net.nz
Tue Oct 13 20:32:00 UTC 2009
bert hubert wrote:
> On Tue, Oct 13, 2009 at 6:17 AM, Joe Abley <jabley at hopcount.ca> wrote:
>>> Apparently the good folks at SE made a mistake with their host file
>>> today and ended up with NS records of the form [a-j].ns.se.se. While
>>> the problem has been corrected, and I certainly don't want to "pile
>>> on" I thought this was a good time to mention the value of having NS
>>> records in more than one TLD, even if you ARE a TLD. :)
>> I don't think your observation qualifies that advice at all.
>
> I've previously & unsuccessfully tried to get people interested in
> having a very late stage 'sanity checking' tool that knows that
> today's zone can't be too different from yesterday's zone (or the zone
> of 5 minutes ago).
>
> For example, if the total number of NS records on the zone changes by
> more than 1%, or the number of A records decreases by more than 1%,
> this would lead to the updates being held until manual intervention.
>
I agree with you on this. At .CL we introduced a sanity check of the
size of the zone, to avoid publishing a truncated version of the zone.
In any case, this check couldn't avoid this particular error.
> One might also mark the NS records of the zone itself as 'sacrosanct' this way.
>
> These things become a lot harder if zones are provisioned over dynamic
> update however, since each update would then have to be audited
> individually.
>
> Bert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list