Hello Daniel, Thanks for explaining your case in some more detail. I see now that you're referring to queries for a reverse zone against authoritative name servers.
We use Zonemaster as the back-end for performing pre-delegation checks. It *does* query authoritative name servers directly to look up SOA and NS records. However, Zonemaster has a built-in caching window of 5 minutes. If one requests the exact same test of Zonemaster within a 5-minute window, then it does not run the test, but returns the previous result. This is a rate-limiting feature, that avoids overwhelming the Zonemaster server in case someone submits lots of checks to it with the same parameters. We do not consider this to be a bug at all. If you would like to discuss this further, please follow up on the support ticket, without a Cc: to the NCC Services working group. If you would like to discuss this publicly in a working group anyway, then I suggest you do it on the DNS working group mailing list. Regards, Anand Buddhdev RIPE NCC On 02/08/2018 14:45, Daniel Suchy wrote: > Hello, > that doesn't make any sense. In reported case, zone delegation was just > missing on authoritative nameserver. After issue was fixed at DNS > server, *your* server was still caching *negative* answer and refusing > object creation (even zone was created on our nameserver). > > There's no reason to simulate "client behavior" by caching some results > locally (and delay object creation just due to that). Current behavior > leads to false-positives during object creation/update and causes > misleading error messages for web-updates end-users. DNS servers should > be queried always directly while checks are performed during object > creation/update to provide accurate (real) data. > > From my perspective this is a bug in current implementation of > DNS-related checks at NCC side. > > With regards, > Daniel > > > On 08/02/2018 02:16 PM, RIPE NCC Support wrote: >> ##- Please type your reply above this line -## >> >> Ticket (107164) has been updated. To add additional comments, reply to >> this email. >> >> *Anand Buddhdev* (RIPE NCC Support) >> >> Aug 2, 14:16 CEST >> >> Hi Daniel, >> >> Some checks query DNS servers directly, but others use a caching >> resolver (especially checks that resolve name server names to IP >> addresses). This simulates the behaviour of a client more accurately. >> There is no way around this, except to wait for the TTL of the old >> records to expire, and then you can try to create or update your domain >> object again. >> >> Regards, >> Anand Buddhdev >> RIPE NCC >> >> This email is a service from RIPE NCC Support. >> [3QKYYW-RE09] > >
