[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Shumon Huque shuque at gmail.com
Fri Apr 3 12:15:53 UTC 2020


On Thu, Apr 2, 2020 at 5:10 PM Brian Somers <bsomers at opendns.com> wrote:

> FWIW, OpenDNS/Umbrella/Cisco will use the glue to look things
> up and won’t explicitly ask the authority for its own NS record.
>
> However, if we’re asked for an NS record by a client, we’ll lookup
> & return the authoritative answer and that answer will trump the glue.
> We’ll never serve glue to a client.
>
> One of the problems with caching NS records is that you’ve got to be
> careful that you don’t let them keep re-asserting their own presence
> in the cache (by repeating their RRset in the AUTH section every time
> you talk to them).  We do *force* their eventual TTL decay, but
> for frequently queried domains, the original glue TTL is *not* honoured
> due to the authoritative RRset trumping it!
>

Folks may be interested in this proposal, Paul Vixie, Ralph Dolmans, and I
have been working on, to cause resolvers to deterministically prefer the
child NS set, while avoiding the problem you mention in the last paragraph:

   https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01

I realize some implementers (Petr Spacek?) do not agree, but on balance we
think this is what resolvers should do.

Shumon Huque.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200403/12cd32ff/attachment.html>


More information about the dns-operations mailing list