[100172] in North American Network Operators' Group
Re: dns authority changes and lame servers
daemon@ATHENA.MIT.EDU (Mark Andrews)
Thu Oct 18 20:06:42 2007
Date: Fri, 19 Oct 2007 10:01:08 +1000 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
To: nanog@merit.edu
In-Reply-To: <4717A597.8020900@rockynet.com>
Errors-To: owner-nanog@merit.edu
The correct way to change a delegation is to:
* add the new servers as stealth servers for the
current zone.
* if the old master is to be removed, make it a slave
of the new master.
* add the new NS records to the zone.
* wait for all the slaves to have the new zone.
* inform the parent zone of the new NS records.
* wait until all the old NS RRsets have expired from
caches (implies waiting for the parent's changes to propagate).
* remove the old NS records from the zone.
* wait for all the slaves to update.
* inform the parent zone of the new NS records.
* wait until all the intermediate NS RRsets have expired from
caches (implies waiting for the parent's changes to propagate).
* any slaves that are not being remove and that are still
using the old master (or slave that is going away) need
to be configured to use the new master by this point.
* stop serving the zone on the old servers.
Note: all through this process the namesevers listed in the
NS records are answering for the zone in a consistant manner.
Note: even if the parents informed you that the delegation
was removed you still have to wait for the records to expire
from caches *before* you can stop serving the zone.
One can collapse the above slightly by informing the parent
of the final NS RRset, rather than the intermediate NS
RRset, but that won't work with registrars that check the
childs NS RRset.
One way to get around this would be to charge a cleanup fee
that only gets charged when the client fails to notify you
in advance that they are going change delegations.
Mark