[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

[Ralf Weber]

Moin!

On 3 Apr 2020, at 19:20, Shumon Huque wrote:
> To give you a real case, some time last year, we signed and migrated
> some of our important zones to a set of new providers, after extensive
> testing (verifying the zones were correctly deployed and signed, 
> detailed
> pre-delegation testing, distributed monitoring of the provider 
> footprints
> etc).
> A couple of days after pulling the trigger, we discovered breakage in 
> a
> particular region of the world where one of the provider's servers 
> were
> misconfigured. We weren't able to catch this pre-deployment, since our
> distributed monitoring did not include nodes in the anycast catchment
> area(s) of these broken servers. So, we had to backout the change, and
> then deal with the lingering up-to-2-day effect of the parent NS TTL 
> (for
> parent centric resolvers).
I fully understand why you want that, but all of that leads to resolvers
doing more work for all resolutions and that is a bad thing for every 
domain
and not just the few out of billions of domains that currently are doing
these  complicated moves. I’m doing a couple of algorithm rolls on my 
private
domains at the moment and it for sure sucks that these take over a week
to complete, but I would never thought of changing the protocol to make
it easier for me.

Also this leads to a slippery slope on resolver having to prefer certain
answers over others for resolution policy and not protocol reasons, and
I’d rather have the already complicated resolution as simple as 
possible,
meaning if I get an correct DNS packet I use it and don’t go elsewhere
and ask is it really is correct unless I have to for protocol reasons,
like glueless delegation.

BTW there was a proposal to make resolution more parent centric, a 
couple
of years back, that also went nowhere. Maybe it is best to have a mix
of resolvers as we have now.

So long
-Ralf
—--
Ralf Weber