On Thu, Jun 21, 2018 at 4:31 PM Hugo Salgado-Hernández <hsalg...@nic.cl> wrote:
> On 22:09 21/06, Shane Kerr wrote:
> > > Dne 1.6.2018 v 12:51 Shane Kerr napsal(a):
> > >
> > > Hmm, can you share some details about your experience?
> > > Did you find out when the data corruption took place?
> > > a) network transfer
> > > b) implementation bugs (e.g. incorrectly received IXFR)
> > > c) on disk
> > > d) some other option?
> >
> > I don't know. I have seen incorrectly transferred zone files both in
> > BIND
> > and NSD slaves. IIRC our solution was to include sentinel records in
> > the
> > zone files to spot problems, take the node out of service, and force a
> > re-transfer. This of course won't work if you are slaving zones that
> > you do
> > not control, and it doesn't prevent a small window of time when the
> > servers
> > are operating with broken zones. TSIG was being used.
> We have also seen broken transfers between secondaries. Our solution
> is to dump the zone after transfer, calculate a hash and compare. We
> would benefit from having a ZONEMD record inside the zone.

i *seem* to remember something happening with .de a few years back --
IIRC, slaves did a zone transfer, ran out of disk and truncated the
file, and so only had a partial zone file to serve - something like
2/3ds of the .de zone "disappeared". A zone checksum would allow the
nameserver to know that they do not have a full zone file.

My memory is hazy, because I would have expected the AXFR to fail and
the nameserver to just continue using the old zone. Perhaps there was
some other transfer mechanism and it involves restaring the
nameserver? I'm sure someone must remember more detail on this event.


> Hugo
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

DNSOP mailing list

Reply via email to