Re: dns authority changes and lame servers

mikerockynet.com (Mike Lewinski) writes:

> Justin Scott wrote:
> 
> > I suppose the problem with having an official list
to query would be
> > getting all of the various registries to
participate and keep it
> > regularly updated.  I personally qualify this as a
slight inconvenience,
> > but I'm not sure I would call it a flaw in the DNS
system.
> 
> If we just call DNS a distributed database, then it is
easy to see that 
> when the keys (glue at root) get updated, the relations
to those keys 
> *should* all reflect that change.  ...
> 
> And I'll admit, I'm not sure how to properly fix it
either. My first 
> thought was a BIND directive to
"expire-stale-zones <interval>;" so that 
> every <interval> the server might check to be
sure it is still auth, and 
> if it has found authority changed, would stop giving
out AAs for it. But 
> I see all kinds of operational issues arising from that
too (such as, 
> how do we gracefully setup new customer's zone before
it has 
> transitioned here).

as duane said, it's possible to accomplish this with
creative nagios plugins.
however, i agree that it's something BIND should do, to be
comprehensive.  if
someone is excited enough about this to consider sponsoring
the work, please
contact me (vixieisc.org) to discuss details.

> Really, in my ideal Internet, once my server was
notified that it was no 
> longer authoritative, it would have an option to do a
reverse xfer to 
> the new auth servers (who would then be free to
accept/reject the old 
> information as necessary - can't count the number of
times I've tried to 
> get customers to provide zone file records in advance
and failed because 
> they don't know how/where to get them from). But that's
an ideal 
> Internet that will never exist, I know.

it's because we didn't know exactly how to scope this
problem that RFC 2136
does not permit the insertion or deletion of authority
zones.  noting that
the ideal internet you want is within our grasp if we can
only define it and
sponsor it, i recommend taking up this thread on
namedroppersops.ietf.org or
dns-operationslists.oarci.net.
-- 
Paul Vixie

On Friday 19 October 2007 01:03, Paul Vixie wrote:
> 
> i agree that it's something BIND should do, to be
> comprehensive.  if someone is excited enough about this
to consider
> sponsoring the work, please contact me (vixieisc.org)
to discuss details.

Sounds like a really bad idea to me.

The original problems sound like management issues mostly.
Why are they 
letting customers who don't understand DNS update their NS
records, and if 
they do, why is it a problem for them (and not just the
customer who fiddled 
and broke stuff).

Similarly we'll provide authoritative DNS for a zone as
instructed (and paid 
for), even if it isn't delegated, if that is what the
customer wants.

For as long as one doesn't mix authoritative and recursive
servers, it matters 
not a jot what a server believes it is authoritative for,
only what is 
delegated. Hence one can't "graph the mistakes" as
one would have to be 
psychic to find them.

Perhaps they need to provide DNS status reports to clients,
so the clients 
know if things are misconfigured? Monitoring/measuring is
the first step in 
managing most things. But I think far more important to find
and fix what is 
broken, than to try and let the machines prune it down when
something is 
wrong, although I guess breaking things that are
misconfigured is a good way 
to get them fixed ;)