[dns-operations] Recommended zone serial number format for over 100 changes / day

Andrew Sullivan ajs at anvilwalrusden.com
Mon Apr 4 16:21:01 UTC 2016


On Mon, Apr 04, 2016 at 08:08:53AM -0700, Colm MacCárthaigh wrote:
> It's not ignoring the protocol to  implement some basic safety checking,

It's certainly ignoring RFC 3597 to be unable to handle unknown
RRTYPEs.  And continuing to serve the zone after expire time is
ignoring RFC 1035.

> expected behavior; a slave shouldn't accept  DNSSEC records if it doesn't
> have the ability to serve them correctly either. Otherwise the zone may end
> up black-holed.

It seems to me that it's at least as likely you'll turn the zone bogus
if you fail the zone transfer and serve an old zone.  If the zone
operator sends the DS to the parent while a slave is failing to
complete the transfer, then that slave will serve a bogus zone.  (Of
course, one has to wonder what planet the zone operator is on under
these circumstances, so there's that.)

I think we're just going to have to agree to disagree on this; it's
clear that you prefer a server to do something that I consider a
seriously bad idea, and conversely :)


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list