On Fri, May 18, 2012 at 09:34:28AM +1000, Mark Andrews wrote: > > How can you "slave" a zone off your servers and not know.
In the particular disaster case that I was thinking of, not all of the servers involved were ours. But if you're running a sufficiently large service, you have all kinds of queries arriving that fail. A few failed zone transfers are in the noise. > master but true slaving should have cause the zone to expire unless Yes. I have no idea how the people in question managed to convince bind not to expire the zone, although I suspect that they were noticing that it would stop working, and then they'd restart bind or something. In the particular case I was thinking of, the machine they were transferring from just stopped answering. It always was mysterious to me how they managed to keep serving at all, but I know they did. I'm not sure how "zone expires" makes the problem any better, however. It merely changes the problem from "slow decay and bad information on the network" into "sudden complete failure of resolution at the root". I know, you're thinking that they will just switch to some other root server, and there won't be a problem. But if they were just going to use the DNS protocol like normal, they could use the widely-built infrastructure alreay in existence. Remember that part of the original point that started all this was the political noise that this or that country "doesn't have a root server". The foundation of much of the reasoning here is badly flawed, and I don't think there's any reason to suppose that people who start from such premises are going to permit the "root queries to go out of country". Yes, I've heard it stated exactly that way in the past. Many of these arguments are not being made from technical grounds, but on layer 9+n grounds that I don't understand. Best, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
