[dns-operations] Recommended zone serial number format for over 100 changes / day

Colm MacCárthaigh colm at stdlib.net
Mon Apr 4 18:16:50 UTC 2016


On Mon, Apr 4, 2016 at 9:21 AM, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:
>
> On Mon, Apr 04, 2016 at 08:08:53AM -0700, Colm MacCárthaigh wrote:
> >
> > It's not ignoring the protocol to  implement some basic safety checking,
>
> It's certainly ignoring RFC 3597 to be unable to handle unknown
> RRTYPEs.  And continuing to serve the zone after expire time is
> ignoring RFC 1035.
>

I don't interpret either RFC as a command to treat unknown RR-types as
something that must be agnostically passed around, even if you don't know
how to handle them, or to stop serving a zone that is handling traffic.
RFCs exist to serve the needs of a stable internet; not the other way
around. It's valid and sensible to safety check a zone before you serve it,
it's valid to serve stale zones (dns is eventually consistent) and it's
commonplace and good operations to ignore the expire time since it's so
dangerous.

I think we're just going to have to agree to disagree on this; it's
> clear that you prefer a server to do something that I consider a
> seriously bad idea, and conversely :)
>

I don't think we're in the realm of reasonable disagreement here. In the
face of reasonable scenarios where  accepting unknown record types leads to
actual resolution failures, you're stubbornly advocating for a kind of
lawyerly "rules must be obeyed" reading that leads to the domains not
resolving. Your argument boils down to 'domains transfers must always
succeed even if that breaks domain resolution because of
incompatibilities'.  That's not good practice and let's not leave folks
with that impression.

-- 
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160404/03c66298/attachment.html>


More information about the dns-operations mailing list