North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dns authority changes and lame servers

  • From: Mike Lewinski
  • Date: Fri Oct 19 20:26:00 2007

Simon Lyall wrote:

Sounds like the real problem is that your authotative and caching DNS
servers are mixed up.

Understood. I've worked to turn off recursion to the world and made it through that without too much pain (except for the people who transport statically configured laptops on and off our network). The next step isn't trivial since it's a matter of updating quite a lot of data. It's important and we're working on it for the benefit of the customers, but this will be an operational issue for us for a while.

I'm sure I'll get a response telling me to just change the glue at root for the NS and be done, but that won't help any other externally registered names pointing to my DNS with their own glue at root. Then there are the ARPAs, all with "interesting" pedigrees and various processes (true, they are least likely to be the problem, but now I have to split the zone management onto more than one server so it's not as simple as just changing my glue at root).

And there's the case in the last few years of $REAL_BIG_ILEC who provides DSL service and has the same configuration we do. It took some legalish threats all the way to their CEO to get a stale zone removed, after 9 months of attempting to work through the "regular" channels (even their former customer couldn't get the request processed!). Their policy is apparently to not remove zones, ever.

So no matter how quickly I transition my network, this is still going to affect your customers some day, because there are a lot of other people in the same boat I am - lots of statically configured DNS resolvers aren't going to change themselves and if the same caching servers are also hosting thousands of zones that were added incrementally over the last 12+ years....

We gave up long ago trying to get our technical contacts listed on each customer domain whois / registrar role account, because we couldn't get better than 50% response rate.

If they are split then it doesn't really matter if you still host a lame
record because (since it's lame) nobody will ask you about it.

It's still cruft and ideally should still be cleaned up automatically based on the external authority changing.