[100250] in North American Network Operators' Group
Re: dns authority changes and lame servers
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Fri Oct 19 20:25:31 2007
Date: Fri, 19 Oct 2007 18:24:25 -0600
From: Mike Lewinski <mike@rockynet.com>
To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.56.0710201239590.29272@localhost.localdomain>
Errors-To: owner-nanog@merit.edu
Simon Lyall wrote:
> Sounds like the real problem is that your authotative and caching DNS
> servers are mixed up.
Understood. I've worked to turn off recursion to the world and made it
through that without too much pain (except for the people who transport
statically configured laptops on and off our network). The next step
isn't trivial since it's a matter of updating quite a lot of data. It's
important and we're working on it for the benefit of the customers, but
this will be an operational issue for us for a while.
I'm sure I'll get a response telling me to just change the glue at root
for the NS and be done, but that won't help any other externally
registered names pointing to my DNS with their own glue at root. Then
there are the ARPAs, all with "interesting" pedigrees and various
processes (true, they are least likely to be the problem, but now I have
to split the zone management onto more than one server so it's not as
simple as just changing my glue at root).
And there's the case in the last few years of $REAL_BIG_ILEC who
provides DSL service and has the same configuration we do. It took some
legalish threats all the way to their CEO to get a stale zone removed,
after 9 months of attempting to work through the "regular" channels
(even their former customer couldn't get the request processed!). Their
policy is apparently to not remove zones, ever.
So no matter how quickly I transition my network, this is still going to
affect your customers some day, because there are a lot of other people
in the same boat I am - lots of statically configured DNS resolvers
aren't going to change themselves and if the same caching servers are
also hosting thousands of zones that were added incrementally over the
last 12+ years....
We gave up long ago trying to get our technical contacts listed on each
customer domain whois / registrar role account, because we couldn't get
better than 50% response rate.
> If they are split then it doesn't really matter if you still host a lame
> record because (since it's lame) nobody will ask you about it.
It's still cruft and ideally should still be cleaned up automatically
based on the external authority changing.