[dns-operations] .MW inconsistent zone updates?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Jun 25 09:59:39 UTC 2015
On Thu, Jun 25, 2015 at 11:12:40AM +0200,
Gunter Grodotzki <gunter at grodotzki.co.za> wrote
a message of 78 lines which said:
> But shouldn't that raise a big red flag - even if it is not your
> fault?
DNS operator hat _on_. At $DAYJOB, we both have secondaries for other
domains, and domains for which we use outside secondaries.
It has always been our policy (and, I believe, the one of the majority
of DNS operators), that responsability and monitoring belongs to the
_master_. If a secondary of .fr lags behind, it is _our_ role and
responsability to detect it and to solve it (warning the secondary,
retiring the secondary from the NS RRset, etc). If a secondary we host
for .example lags behind, it is not up to us to notice, but to the
.example managers.
A recent example was the break of isoc.org and internetsociety.org. A
secondary name server was behind and served expired signatures. IMHO,
the fault is 100 % on the ISOC side: they should monitor their own
zones.
> thus poisoning dns-caches with wrong/outdated responses.
I really find you have a poor choice of words and using "poisoning"
here (which means a deliberate attack) is really bad.
More information about the dns-operations
mailing list