[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Brian Somers bsomers at opendns.com
Thu Apr 2 21:06:26 UTC 2020

FWIW, OpenDNS/Umbrella/Cisco will use the glue to look things
up and won’t explicitly ask the authority for its own NS record.

However, if we’re asked for an NS record by a client, we’ll lookup
& return the authoritative answer and that answer will trump the glue.
We’ll never serve glue to a client.

One of the problems with caching NS records is that you’ve got to be
careful that you don’t let them keep re-asserting their own presence
in the cache (by repeating their RRset in the AUTH section every time
you talk to them).  We do *force* their eventual TTL decay, but
for frequently queried domains, the original glue TTL is *not* honoured
due to the authoritative RRset trumping it!

This may be what was happening for shopdisney.co.uk...

> On Apr 2, 2020, at 1:41 PM, Paul Vixie <paul at redbarn.org> wrote:
> On Thursday, 2 April 2020 20:12:50 UTC Puneet Sood via dns-operations wrote:
>> ,,,
>> Google Public DNS is “parent-centric”—meaning that it only uses the
>> name servers that are returned in the referral responses from the
>> parent zone name servers, and does not make NS queries to this child
>> zone. So updating the parent delegation to include both NS sets will
>> help with Google Public DNS resolution.
>> ...
> this is concerning, so, two questions:
> would you change this parent-centrism or or when you implement QM?
> when you receive NS RRs from the authority, perhaps as part of an NXD 
> response, do you ignore them?
> if you process a stub query asking for NS, do you return the set you received 
> during iteration?
> -- 
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list