> > Is this something that you think is an inherent flaw in DNS?
>
> Inherent flaw in the DNS: probably not. Inherent flaws in implementations of
> DNS (including, of course, ISC's BIND) and things in front of the DNS:
> probably. It is far too easy to do the wrong thing.
this is worth elaborating: there are two major sources of problems:
1. DNS implementation bugs
2. mis-configuration
the latter can be further divided into:
- mis-configuration of DNS itself (e.g. out of date glue records, forgetting to
increment serial numbers when changing a zone, improperly incrementing
serial numbers so that they wrap prematurely, misconfiguration of zone
transfer information, etc.)
- getting DNS out of sync with other software (e.g. MX record points
to a SMTP server which doesn't recognize itself as the mail exchanger
for that domain, or changing a DNS record to point to a new address
and failing to make sure that the old address remains valid until
the TTL on the old record has expired)
but yes, it is far too easy to do the wrong thing, partially because
there are so many wrong things that can be done.
Keith
