[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Paul Vixie paul at redbarn.org
Thu Apr 2 21:13:31 UTC 2020


On Thursday, 2 April 2020 21:06:26 UTC Brian Somers wrote:
> FWIW, OpenDNS/Umbrella/Cisco will use the glue to look things
> up and won’t explicitly ask the authority for its own NS record.
> 
> However, if we’re asked for an NS record by a client, we’ll lookup
> & return the authoritative answer and that answer will trump the glue.
> We’ll never serve glue to a client.
> 
> One of the problems with caching NS records is that you’ve got to be
> careful that you don’t let them keep re-asserting their own presence
> in the cache (by repeating their RRset in the AUTH section every time
> you talk to them).  We do *force* their eventual TTL decay, but
> for frequently queried domains, the original glue TTL is *not* honoured
> due to the authoritative RRset trumping it!

sounds like you've implemented section 2 (kewl!) but not yet section 4:

https://www.ietf.org/archive/id/draft-vixie-dnsext-resimprove-00.txt

> This may be what was happening for shopdisney.co.uk...

if so then you may also want to implement section 2.5 (ibid).

-- 
Paul





More information about the dns-operations mailing list