[87321] in North American Network Operators' Group
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Wed Dec 14 11:54:37 2005
Date: Wed, 14 Dec 2005 16:52:07 +0000
From: bmanning@vacation.karoshi.com
To: Joe Abley <jabley@isc.org>
Cc: Eric Kagan <ekagan@axsne.com>, NANOG list <nanog@merit.edu>
In-Reply-To: <1BC0CFD7-5058-494B-8969-0B54608DC631@isc.org>
Errors-To: owner-nanog@merit.edu
On Wed, Dec 14, 2005 at 10:02:56AM -0500, Joe Abley wrote:
>
>
> On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote:
>
> >In message
> ><9828b780512131312q220a5ea6x97a6167e33c654a0@mail.gmail.com>, Sam Cr
> >ooks writes:
> >>
> >>I would think you would want to drop your DNS record TTLs for all
> >>domains being moved to something very low several days before the
> >>switch-over period.
> >
> >More precisely, you want to change the TTL on the NS records, which
> >are
> >in the parent zone. If you're keeping the name but changing the
> >address, worry about the A records, too.
>
> You also want to check all the registries which are superordinate to
> zones your server is authoritative for, and check that any IP
> addresses stored in those registries for your nameserver are updated,
> otherwise you will experience either immediate or future glue madness.
>
> A conservative approach to this kind of transition is to arrange for
> your nameserver (or different nameservers hosting the same data) to
> respond on both the old and new addresses, and to continue in that
> mode until you see no queries directed at the old address for some
> safe-seeming interval (bearing in mind TTLs and cached records,
> alluded to by Steven and Sam).
currently in the middle of such a safe, conservative
transition leads me to believe that there will -NEVER-
be a point w/ there are no queries to the old address.
(he says, 24 months into a transition...) The right
tactic is to make the change, based on 2x the TTL of the SOA.
--bill
>
>
> Joe
