[94701] in North American Network Operators' Group
Re: what the heck do i do now?
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Feb 1 16:41:15 2007
Date: Thu, 1 Feb 2007 16:40:22 -0500 (EST)
From: Jon Lewis <jlewis@lewis.org>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g3bqkdobcv.fsf@sa.vix.com>
Errors-To: owner-nanog@merit.edu
On Thu, 1 Feb 2007, Paul Vixie wrote:
>> 1) maps.vix.com. 604800 IN NS .
>
> i've tried that. the retry rate actually goes up rather than down.
That's pretty messed up. I've tested both the strategies I suggested, and
at least with both bind9 and DJB's dnscache, the caching name server will
cache the NS, and in this (.) case, it won't ask the auth server(s) again
for any subsequent queries in the former DNSBL zone (until the data
expires from the cache). You must be getting hit by some seriously broken
DNS caches. I don't have them handy to test, but I wonder what bind8 and
bind4 do? After all, the sorts of people who setup servers to use a DNSBL
8 years ago and forgot about it, are the sorts who might still be running
really old DNS server software.
>> 2) maps.vix.com. 604800 IN NS u1.vix.com.
>> maps.vix.com. 604800 IN NS u2.vix.com.
>> maps.vix.com. 604800 IN NS u3.vix.com.
>> ... [as many as you like]
>> u1.vix.com. 604800 IN A 192.0.2.1
>> u2.vix.com. 604800 IN A 192.0.2.2
>> u3.vix.com. 604800 IN A 192.0.2.3
>> ... [as many as you like]
>
> i hadn't thought of that. i'll think seriously about it, thanks.
I prefer this method since it's non-destructive, but much more likely to
be noticed than the immediate failure the queriers get with the . method.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
