On Sun, Aug 04, 2002 at 08:48:06PM +1200, Andy Linton wrote: Presumably they've already found someone with a clue or could pay someone to get one on this reasonably important issue. You and I both know this is easier said than done! There is a shortage of clues and people familiar with the network and systems, which can inhibit remote infrastructure if it's not super reliable or able to be fixed by pressing a reboot button. Surely the worst scenario is you get that nameserver switched off and plug in a replacement. Well... ideally for the cost of hardware you run two or three and remotely switch, have cables labelled and tell the people there to plug the A end of the the blue cable into port #5 of box 7 whatever. Make sure they don't cut the green wire though, that's always bad news, especially if the count down timer is close to zero. One nice idea is that USB webcams are like $9 now... and easy to get going remotely so you can use these. What happens if someone gets to the existing servers... Existing/local servers are usually physically close by and more closely watched and better baby-sit by operations people in my experience. They tend to be behind firewalls which IMO is a terrible idea for any moderately sized DNS server... If I'm using a browser and I try www.xxx.net and there are no nameservers responding that know about the zone won't I get a "name not found - check the name and try again" message. Probably. What is wrong with this? If the web-site is down, who cares? It's an error, people just thing "oh well" and try later or give up. Almost nobody actually really thinks what the error says. A better example is email bounces... almost *everyone* I deal with in some kind of email-providing capacity or as some kind of networking authority (ha!) calls me up or forwards me (munged by M$ lookout) messages with comments like "Chris! The email is broken! The End of Nigh!" when the message clearly says something like "The Mailbox you.r.a.moron(a)aol.com does not exist" or "The domain you.have.no.clue.org is not valid". The problem is so bad I actually wrote a thing to pull apart MIME multipart messages so when a DSN is detected I decode it and give them a nice pretty graphical message with nice flashy graphics to make is eally obvious, complete with clickable 'explain this more thingies'. Of course, M$ sExchange boxes really mess this idea up (they don't seem to produce DSN stlye bounces)... (pity, as those are he most often misconfigured from what I can tell). If I try to mail fred(a)bloggs.net and no A or MX record gets returned I'll get a bounce from the mail. Sure... but only if the authoritative servers say this; which requires working DNS. If they can't be reached, they the mail will remain in the queue. I might run a "dig ns bloggs.net" but one or two folk out there will just shrug and think that the address is broken. It is broken if the mail bounces. If the delegations are lame, the name-servers are borked or unreachable, it *should* queue. An example of this is 'coriolis.com'. The name-servers for this domain are unreachable. Send email to it ... it won't bounce until it expires in the queue. If it does, you need to take a clue-by-four to someone and get the MTA and/or DNS fixed. Email should never bounce from what could be temporary errors such as DNS not responding as this happens all the time for many different reasons. I'm not talking about my MTA - I'm thinking of the case above. I just don't get it. Have you an example domain? Don't get my wrong, I think people should have DNS redundancy across multiple prefixes. I've done this myself. However, assuming I didn't have this and the T goes down, what do I loose? Nothing can reach me anyhow to deliver email or see web-sites. --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog