[100148] in North American Network Operators' Group
Re: dns authority changes and lame servers
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Thu Oct 18 16:52:10 2007
Date: Thu, 18 Oct 2007 14:28:52 -0600
From: Mike Lewinski <mike@rockynet.com>
To: nanog@merit.edu
In-Reply-To: <46998D43CA4FED489115621F79BDF684673C8A@gf-dc.GravityFree.local>
Errors-To: owner-nanog@merit.edu
Justin Scott wrote:
> I suppose the problem with having an official list to query would be
> getting all of the various registries to participate and keep it
> regularly updated. I personally qualify this as a slight inconvenience,
> but I'm not sure I would call it a flaw in the DNS system.
If we just call DNS a distributed database, then it is easy to see that
when the keys (glue at root) get updated, the relations to those keys
*should* all reflect that change. The flaw is that the system creates
cruft almost continuously. I'd love to see a graph of the cruft on a
global scale, because I'm positive that over time it is growing (though
in ways that are not always operationally impactful since most of it
will be dead and abandoned zones still sitting in our named.conf).
And I'll admit, I'm not sure how to properly fix it either. My first
thought was a BIND directive to "expire-stale-zones <interval>;" so that
every <interval> the server might check to be sure it is still auth, and
if it has found authority changed, would stop giving out AAs for it. But
I see all kinds of operational issues arising from that too (such as,
how do we gracefully setup new customer's zone before it has
transitioned here).
Really, in my ideal Internet, once my server was notified that it was no
longer authoritative, it would have an option to do a reverse xfer to
the new auth servers (who would then be free to accept/reject the old
information as necessary - can't count the number of times I've tried to
get customers to provide zone file records in advance and failed because
they don't know how/where to get them from). But that's an ideal
Internet that will never exist, I know.