[dns-operations] unrelated to Re: Recommended zone serial number format for over 100 changes / day

Brett brettcarr at gmail.com
Thu Apr 7 17:48:00 UTC 2016


I've come to this thread late so apologies if I am repeating what has
already been said (its probably worth repeating anyway).

On 4 April 2016 at 18:30, Edward Lewis <edward.lewis at icann.org> wrote:
> I really ought to be doing other work today than answering this thread. ;)
>
> On 4/4/16, 12:08, "dns-operations on behalf of Colm MacCárthaigh"
> <dns-operations-bounces at dns-oarc.net on behalf of colm at stdlib.net> wrote:
>
>>Otherwise the zone may end up black-holed.
>
> One of the perennial issues in zone transfers is "what happens if the
> client of the XFR gets confused?" IOW, if a slave gets a version of the
> zone from the master and it contains records that should have special
> meanings to the DNS algorithms but the slave doesn't realize it.
>
> The first stipulation of selecting the set of authoritative servers is
> that all of them are capable of performing whatever version/style of DNS
> service you want.  DNSSEC or not?  ANAME or not?  Whatever otr not?  If
> you insist on using a BIND 4 server, you're gonna get what you're gonna
> get.
>

Absolutely correct 100% as a responsible operator when you make any
change (IE Supporting new record types, algos etc) it is your
responsibility to test your own systems and ensure any systems run by
partner organisations support what you intend to do. When we first
rolled out DNSSEC at RIPE many years ago I remember distinctly
carefully going through all our secondaries to check they could
support DNSSEC, and dropping NS's from uunet (verizon by then of
course) because they could not.

Brett




More information about the dns-operations mailing list