[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Fri Apr 3 06:42:05 UTC 2020

On 02. 04. 20 23:11, Doug Barton wrote:
> Thank you for flushing it, I can see that the nodes which were previously failing are now working.
> 
> I also appreciate the logs, which confirms my fear that the old NS set was stuck in the cache with what's left of the parent's TTL. That's sort of good news in the short term since at least we know now that the problem will go away in time. It's better news longer term since it tells me that my ultra-paranoid step of adding both sets to the parent isn't so paranoid after all, and will work to smooth the transitions for the other sites.
> 
> Wasn't there a move away from parent-centric in the past? Did I miss a memo?

Now I'm curious:
Was there?

TL;DR:
Updating parent NS set and waiting for its TTL to expire is in no way paranoid, it is a mandatory step.

Being parent-centric is the only way how to make resolution deterministic (with respect to NS changes) so we also do that in Knot Resolver. Ultimatelly, if there is no overlap between parent and child NS set, even child-centric resolvers will inevitably fail resolution as soon as the child NS expired from their cache.

This behavior is baked into the protocol so there is no way around it. I would much rather spend time on getting parents more flexible instead of spending time on workarounds (being child-centric is IMHO workaround).

Petr Špaček  @  CZ.NIC

> 
> Thanks again,
> 
> Doug
> 
> 
> On 2020-04-02 13:49, Brian Somers wrote:
>> I’ve flushed shopdisney.co.uk/NS globally.  Should work now for
>> Umbrella/OpenDNS/Cisco
>>
>>> On Apr 2, 2020, at 1:36 PM, Brian Somers <bsomers at OpenDNS.com> wrote:
>>>
>>> This is what I see with diagnostics turned up:
> 
>>> shopdisney.co.uk.       0       IN      TXT     "RESOLVER: shopdisney.co.uk IN NS ns1.disneyinternational.net"
>>> shopdisney.co.uk.       0       IN      TXT     "RESOLVER: shopdisney.co.uk IN NS ns2.disneyinternational.net"
>>> shopdisney.co.uk.       0       IN      TXT     "RESOLVER: shopdisney.co.uk IN NS ns3.disneyinternational.net"
>>> shopdisney.co.uk.       0       IN      TXT     "RESOLVER: shopdisney.co.uk IN NS ns4.disneyinternational.net"