To:
Mark.Andrews@nominum.com
cc:
Måns Nilsson <mansaxel@nic-se.se>, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 07 Feb 2001 12:06:35 +0700
In-reply-to:
Your message of "Wed, 07 Feb 2001 09:54:35 +1100." <200102062254.f16MsZN94314@drugs.dv.isc.org>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Bogus nic.fr behavior
Date: Wed, 07 Feb 2001 09:54:35 +1100 From: Mark.Andrews@nominum.com Message-ID: <200102062254.f16MsZN94314@drugs.dv.isc.org> | Robert you are reading more into the statement than was there. No, I know exactly what you were saying. | I am not saying But you should be, because with one addition, this is the right way to do it... | Parent old Child old | new servers commissioned | Parent old Child new *** broken zone *** | inform parent | Parent new Child new | ttls expired, old servers de-commissioned If this becomes Parent old Child old new servers commissioned Parent old Child old & new (both) carrying only the new NS RRset inform parent Parent new Child new ttls expired, old servers de-commissioned then you have a perfect delegation change - while the parent still has the old data, queries will keep going to the old servers, but they will answer with data from the new zone file (including the new NS record set). That the parent is (for a whort while) still giving out the old NS records is just yet another example of the DNS having a time lag before old data shifts to become new data (it causes no operational problems if planned for). Of course, this can't always be accomplished, sometimes the old servers are decommissioned before anyone (even the operators of the old servers sometimes...) gets to know about it... But that's not a problem that can be solved by changing the order or content of NS updates. With your scheme, everything that this scheme requires still needs to be done, the new and old servers still need to be synchronised (for you, with both of them having the combined NS record set) - except that for my scheme, once the parent is updated, and time allowed for TTLs to expire, the old servers simply become irrelevant to everyone, no more updates need be made anyway. In any case, you can guarantee that for all delegations I do, I *always* copy the NS record set (and glue) from the authoritative servers, I use the info that people send me only to find those servers in the first place. If they include 17 servers in their NS RRset, then all 17 of them go in the parent zone, regardless of how many they told me about on the form (which I think only has space for 3 or 4 anyway). From the point of view of validating that the servers being delegated to contain data that makes sense, this is the only way, as you're not relying on the operators of the servers making additional changes after the delegation change at the parent (and then doing it correctly, making sure the SOA.serial gets updated, etc). kre