Wandering Thoughts archives


How not to set up your DNS (part 12)

Last week Securityfocus, home of a number of reasonably active mailing lists that our users like getting, changed their nameservers from the Symantec corporate nameservers to UltraDNS. And then the Symantec corporate nameservers promptly stopped giving useful answers to queries about the securityfocus.com domain (instead returning the standard 'I have nothing to do with them' results of a referral to the root zone).

Since the mailing lists are reasonably active and we do check to make sure that the MAIL FROM domain actually exists (much like most of the rest of the Internet), our nameserver had the old NS records cached. The ones that now disclaimed authority, thereby creating temporary DNS failures when we tried to verify the MAIL FROM of new email from Securityfocus mailing lists.

(We eventually 'solved' the problem by restarting our caching nameserver, thereby purging its cache of the old NS records.)

All of this points out the golden rule of DNS server transitions: you need both the new and the old NS servers answering queries (and with the same answers). In a sense it is a form of garbage collection; you shouldn't turn off the old DNS servers while anyone can legally still have a cached reference to them.

sysadmin/HowNotToDoDNSXII written at 21:44:32; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.