[dns-operations] .MW inconsistent zone updates?

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Jun 25 09:59:39 UTC 2015

On Thu, Jun 25, 2015 at 11:12:40AM +0200,
 Gunter Grodotzki <gunter at grodotzki.co.za> wrote 
 a message of 78 lines which said:

> But shouldn't that raise a big red flag - even if it is not your
> fault?

DNS operator hat _on_. At $DAYJOB, we both have secondaries for other
domains, and domains for which we use outside secondaries.

It has always been our policy (and, I believe, the one of the majority
of DNS operators), that responsability and monitoring belongs to the
_master_. If a secondary of .fr lags behind, it is _our_ role and
responsability to detect it and to solve it (warning the secondary,
retiring the secondary from the NS RRset, etc). If a secondary we host
for .example lags behind, it is not up to us to notice, but to the
.example managers.

A recent example was the break of isoc.org and internetsociety.org. A
secondary name server was behind and served expired signatures. IMHO,
the fault is 100 % on the ISOC side: they should monitor their own

> thus poisoning dns-caches with wrong/outdated responses.

I really find you have a poor choice of words and using "poisoning"
here (which means a deliberate attack) is really bad.

More information about the dns-operations mailing list