[dns-operations] Quick analysis of TLD SOA's

Mark Andrews marka at isc.org
Thu Jul 14 03:19:03 UTC 2011


In message <6DCA2238-7A14-4558-B4CF-88201805FF4C at hopcount.ca>, Joe Abley writes
:
> 
> On 2011-07-13, at 19:06, Mark Andrews wrote:
> 
> >=20
> > In message <20110713201044.GC16779 at x27.adm.denic.de>, Peter Koch =
> writes:
> >> On Wed, Jul 13, 2011 at 08:49:34PM +0200, Gilles Massen wrote:
> >>=20
> >>> Rickard Bellgrim did a nice analysis on SOA Expire vs. Signature =
> Refresh
> >>> interval, with the result that .SE lowered their expire time. This =
> is
> >>> something that obviously was not on the radar when most SOA
> >>> recommendations were written.
> >>=20
> >> true. What also needs to be taken into account is the length of the =
> XFR path.
> >=20
> > Which is infinite (a loop) in many cases.  There was even a loop
> > presented as "best practice" earlier.  This breaks expire processing
> > as SOA refresh queries get answered.
> 
> Well, it reduces the usefulness of EXPIRE processing to the case where a =
> nameserver is genuinely (fully) isolated from the herd.
> 
> The assumption is that anybody who is paying enough attention to their =
> DNS infrastructure to bother with loop xfr topologies surely is also =
> monitoring SOA serial lag independently, and acting to fix problems long =
> before an EXPIRE timer would trip anyway.

xfr loops are easy to create accidentally.

The point of expire is to catch error when people forget to monitor.
Expire should work regardless of the transfer graph.

> I agree that the assumption is worth spelling out.
> 
> Joe

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list