Jon Carnes wrote:
On Tue, 2006-05-16 at 23:57, Aaron S. Joyner wrote:
Friendly public service announcement (I'm sure Jon knows, but I can't
let a statement like the above go by with out responding). Assuming you
have some semblance of control over the DNS records themselves, you
should lower the TTL before you change the IP (or name) associated with
that record, and then raise the TTL again after the change has
stabilized. Let's consider a hypothetical scenario. You run a web
server, www.example.com. You're going to change providers, and thus
change the IP of the machine serving www.example.com. The steps to
follow go something like this:
1: Examine the current record, determine how long the TTL is (we'll say
it's 3 days, or 10800 seconds).
2: At least one current-TTL-interval (3 days) before you intend to make
the change, update the TTL for that record (and all other potentially
affected records) to be very low, for example 5 mins (900 seconds).
3: Test the new setup on the new IP, then 'throw the switch' by
changing the DNS record.
4: Establish that everything is working as expected, perhaps wait 1 day
to be sure.
5: Make a final DNS update to return the TTL to it's previous long /
stable value.
This way, your DNS updates can normally have nice long cache times,
making your bandwidth bill lower, your user's latency lower, still
giving you the ability to have quick change over of service, and making
the Internet a healthier place. This makes everyone happy. :)
As an exercise for the reader, how would you handle migrating your DNS
server(s) from one IP address (or one subnet) to another, using similar
techniques? Do you need to talk to someone outside your organization,
or can you do it all in-house? Are you sure of your answer to that last
question? How would you find out for sure... :) A Google T-shirt(*)
to the person who comes up with the best / most complete answer(+).
Aaron S. Joyner
* - Size of your choice, in white or black:
http://www.googlestore.com/product.asp?catid=5&code=GO0108
http://www.googlestore.com/product.asp?catid=5&code=GO13022
+ - Final decision about answer quality is at my sole discretion,
although I promise to be as fair as possible. Credit for information
posted will come on a first-come, first-serve basis - ie. if someone
posts a 90% complete answer, and you rephrase their answer plus 10%
more, unless that 10% is really critical they'll probably be considered
to have the better answer. Hence, posting sooner is better, but I'll
probably wait either until every angle has been exhausted or at most 5
days. Time differences of less than roughly 2-3 mins in time sent are
not considered note-worthy.
Well who could resist that offer... especially since I move folks DNS
servers over to our ISP all the time (and we've never lost a look-up
yet!).
1) On the old servers, set the TTL to 4 hours (14400) or less. Set the
SOA Refresh interval to 20 minutes (3600) if you expect to keep some of
the current secondary NS servers up and running. This tells the
secondaries to check in every 20 minutes for updates.
2) On the new servers, setup the Name info for the domain. Be sure the
SOA is setup properly to reflect the new server. Make sure you list your
new Name servers as DNS entries.
3) Once the new servers are setup and running you can simply go to your
Domain register (GoDaddy.com) and change your Name servers. The change
will take awhile, so you need to get this done a few days to one week
prior to when you want to make the move. We find that 48 hours pretty
much does the trick. A check of the logs indicates if any traffic is
still going to the old servers
... and that is pretty much it unless you are also changing IP ranges.
Check your Name server setup by visting:
http://www.dnsreport.com
<Trilug does fairly good here - only having one red mark - It's an open
DNS server and these days the Black hat guys can exploit that>
Use the "whois" command to see what your current Name servers are set to
at the Internic:
Name Server:NS.WAYFARER.ORG
Name Server:NS2.TRILUG.ORG
Use the command "host -t ns <domain name>" to see what your primary name
server *thinks* your Name servers are... these should agree.
host -t ns trilug.org
trilug.org name server ns.wayfarer.org.
trilug.org name server ns2.trilug.org.
Jon Carnes
I'm really surprised no one else has picked up this thread and run with
it. :) Both Jon and Tanner had good answers, so I'll send them both a
T-shirt (let me know your size and color preference, privately if you
prefer). I'll point out some common misconceptions from their answers,
and pose some additional thinking points. Jon and Tanner, give it a day
or so before you respond, if you'd like to. :) If things aren't
completely fleshed out by Monday evening, I'll try to remember to hit
this thread again and tidy up the loose ends.
1) whois is not used by DNS in any manner, what so ever. It's used by
humans, as a database maintained by the registrars, of contact
information for a given domain. If I want to look up the name servers
for a domain, I should use host or dig (no, you really shouldn't use
nslookup, but it would work :) ). If I want to look up who to contact
about that domain, I should use whois. Well, I'd probably trust the
email contact listed in the SOA more, but if I needed more traditional
contact methods, ala name, phone, address, whois provides that. How
would I use host or dig to find out what the delegating entity believes
my name servers are, ie. instead of the whois command Jon suggested:
`whois trilug.org`?
2) Neither Tanner nor Jon touched on who you actually need to contact to
update the information in the "whois" record. There's a good buzzword
name for that company or entity, which I'm sure they both know, but
neglected to mention directly.
3) Nobody touched on this fun and interesting angle: Can you do it with
out talking to that entity, and what interesting things happen if you
try? (hint: this more often happens by accident)
4) Neither of them mentioned if any updates would be required to
secondary servers?
5) Much attention was given to the SOA, the authoritative name server
mentioned in it, and it's TTL. What role do each of these parts play?
What do slaves use to determine who to pull the zone from? How do they
decide to get a new copy of the zone? What roles does the SOA play to
persons other than the secondary?
If a good answer comes along to all of these, I might feel compelled to
toss out another T-shirt. If not, I'll be sure to eventually answer all
my own questions for the curious minded folks. :)
Aaron S. Joyner
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
