On Fri, Apr 24, 2009 at 10:51:46AM +0930, Matthew Moyle-Croft wrote:

DNS zones update according to the settings in the zone. Resolvers LOOK at this and work out how long to cache.

(I've been explaining this for about 15 years now - it hasn't changed).

you set your TTLs to 15 years! Thats assurance. --bill

-- Matthew Moyle-Croft Networks, Internode/Agile Level 5, 162 Grenfell Street, Adelaide, SA 5000 Australia Email: mmc(a)internode.com.au Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909

Hi all, On Fri, 2009-04-24 at 13:23 +1200, Dave Mill wrote:

To counteract this, I tend to find things rather good.

Most ISP's tend to honour TTLs.

Xtra's alien / terminator were the only real exceptions to this I can recall in recent history. I have no idea if they're still being occasionally weird about caching incorrect records. I don't think I've (noticed) having a problem with them in a few years. -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482

On Fri, 24 Apr 2009, Dave Mill wrote:

I think in the past alien/terminator would ignore low TTLs. I seem to recall something around the 7200 mark. However, I believe this is no longer the case.

Some ISP's automate the removal of old zones from their DNS servers, others don't. The others generally just need a gentle prod to the right people (preferably not this list) to get them removed. The technical contact in their domain's WHOIS records is generally a good place to start.

+1. At least one ISP that I know fairly well took the approach that until actually contacted by the customer in an authenticated manner, removing the zones construed 'unnotified cancellation of a service' and therefore would not remove zones - notwithstanding the registry - unless the customer asked them to. This perspective extended to mail handling for the domain concerned, and caused no end of grief as a result... I'm not going to be specific, because it's probably spilt milk these days; entirely likely said system has been retired. Still, I know how history can taint an individuals view of the world...

On another DNS note, has the extremely low TTL setting for Facebook A records caused any issues to other ISPs?

I've heard reports of slow load times associated with slow / poor performance of the reportee's DNS platform. Low TTL's have a flow-on load hit which is fine if you have sufficient overhead to deal with it, I suppose... Mark.

+1 (probably with a small hint to a decent dns server that knows about the difference between authoritative and recursive ...) lenz On Fri, Apr 24, 2009 at 2:13 PM, Joe Abley wrote:

On 23 Apr 2009, at 21:35, Dave Mill wrote:

...

Some ISP's automate the removal of old zones from their DNS servers, others don't.

If ISPs are hosting domains on the same nameservers that are providing recursive service to customers, still, in 2009, may I suggest someone politely slap them up the side of the head and tell them to stop doing that.

Joe

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- iWantMyName.com painless domain registration (finally)

Hi, Best practice in DNS is to run separate recursive and authoritative dns servers. It's referenced in some rfc somewhere I believe. Scripting something to check the whois every night for the domains you host and removing ones that are no-longer pointing at your dns servers is also a good idea (saves doing it by hand.) Cheers, On 24/04/2009, at 2:35 PM, Dave Mill wrote:

On that note, I'm currently splitting recursive and authoritative DNS plus using unbound as a primary recursive DNS server.

My thoughts on this so far are...

-Splitting recursive from authoritative DNS is a complete pain in the @#$# but has many, many benefits. -Unbound seems rather nice. Simple to set-up, simple configuration, and supports so many things out of the box. Seems to have a rather nice forked operation mode which I'm currently testing.

So, take the plunge and do the split. And if you're unhappy with bind (I was) try unbound as an alternative.

Dave

On Fri, Apr 24, 2009 at 2:20 PM, lenz wrote:

...

+1 (probably with a small hint to a decent dns server that knows about the difference between authoritative and recursive ...) lenz

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On 24/04/2009, at 2:35 PM, Dave Mill wrote:

-Unbound seems rather nice. Simple to set-up, simple configuration, and supports so many things out of the box. Seems to have a rather nice forked operation mode which I'm currently testing.

So, take the plunge and do the split. And if you're unhappy with bind (I was) try unbound as an alternative.

I would go even further and suggest everyone use unbound in preference to any other caching resolver. It is extremely well designed, coded, tested and supported. I'm sure BIND10 will be as well but for now, as is natural, BIND9 has been leap-frogged by the more recently released product. Jay

lenz wrote:

... and powerdns for authoritative dns, unbound and powerdns is a nice couple and takes the pain out of dns management.

lenz

On Fri, Apr 24, 2009 at 2:50 PM, Jay Daley mailto:jay(a)nzrs.net.nz> wrote:

On 24/04/2009, at 2:35 PM, Dave Mill wrote:

> -Unbound seems rather nice. Simple to set-up, simple configuration, > and supports so many things out of the box. Seems to have a rather > nice forked operation mode which I'm currently testing. > > So, take the plunge and do the split. And if you're unhappy with bind > (I was) try unbound as an alternative.

I would go even further and suggest everyone use unbound in preference to any other caching resolver. It is extremely well designed, coded, tested and supported. I'm sure BIND10 will be as well but for now, as is natural, BIND9 has been leap-frogged by the more recently released product.

I would just like to recommend simple DNS plus, not because I've actually used it or anything but rather, because its not bind and has the most little green boxes on the wiki page that details DNS server software features http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software (and for those that have missed the sarcasm, you really don't need to reply.) -- Steve.

Getting dangerously off topic here but..

Has anyone found any good open source front ends for managing PowerDNS zones? One that isn't completely painful when managing large zonefiles?

i normally integrated the dns management into the customer account management interface, i definitely don't want to deal with all the dns management of my customers by myself but for my private stuff i just use poweradmin ... good enough for me. lenz -- iWantMyName.com painless domain registration (finally)

Hi Jay! On 23 Apr 2009, at 22:50, Jay Daley wrote:

I would go even further and suggest everyone use unbound in preference to any other caching resolver. It is extremely well designed, coded, tested and supported. I'm sure BIND10 will be as well but for now, as is natural, BIND9 has been leap-frogged by the more recently released product.

It used to be that BIND9 was a sick pig of a resolver, but its performance has improved dramatically somewhere along the 9.5 release train. I run two resolvers that serve about 35,000 DSL-attached users in Ontario and Québec and 9.5 runs just fine. I also run unbound in my home/office network, and it seems to do what it says on the box. I still find occasional corner cases which lead to persistent inability to resolve things with unbound that I have not yet had time to properly debug, though, which is mainly what has stopped me from replacing one of the resolvers mentioned above with unbound. I would agree that it is definitely worth trying, though. There are a lot of clever hooks and fancy bits under unbound's hood, and Wouter and co are pleasantly responsive to problem reports. Unbound also has the distinct advantage that it's not BIND, so if you are interested in software diversity a mixture of the two might give you some protection in the event of a zero-day exploit that affects just one of them. BIND10's release timeline is long enough that I don't think it even enters into the picture today unless you're deliberating over software you might run in 5 years time. Joe

On Tue, Apr 28, 2009 at 9:28 AM, Andy Linton wrote:

I too have found the guys at NLnet Labs helpful.

especially bert[1] is a real value to the community :-) [1] http://bert.secret-wg.org/index.html -- iWantMyName.com painless domain registration (finally)

On Fri, 24 Apr 2009, Michael Fincham wrote:

On Fri, 2009-04-24 at 13:23 +1200, Dave Mill wrote:

...

To counteract this, I tend to find things rather good. Most ISP's tend to honour TTLs.

Xtra's alien / terminator were the only real exceptions to this I can recall in recent history. I have no idea if they're still being occasionally weird about caching incorrect records.

I don't think I've (noticed) having a problem with them in a few years.

I really think this is an urban legend. AFAIK the boxes were running bind for a long time and there isn't even an option to make it ignore TTLs [1]. The non-splitting of Auth/Recursive DNS was a problem with them though, especially since such a large percentage of the NZ internet used them that people noticed really quickly when "people still go to our old website". Xtra's been handing out different recursive servers (to people who leave their DNS settings on automatic) for years so anybody who is using them for recursion has hardcoded them. [1] - If there was then ANZ would be first to be "fixed" -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.

Getting off topic here, but i'll add my 5 cents. Peter Mott wrote:

On 24/04/2009, at 1:11 PM, Thomas Rowley wrote:

Unless you are really clueless and have authoritative name servers that allow recursion and you encourage your customers to do lookups on them. That way you serve them stale data until somebody or thing removes the domain allowing the new world view to appear.

Which most (all?) the major ISP's do. If they didn't you wouldn't need to email them to remove the records (they wouldn't matter once the .nz registry was updated to point away). Not only is this bad practice & adds extra workload to the helpdesk / DNS admins, its also very poor security for customers using those DNS servers. Just look at what happened with msn.co.nz earlier this week. Lets say i'm a naughty person who says I want to host $bank.co.nz on my purchased web space provided by $ISP via their account portal.... or I call the ISP helpdesk who happily help me by setting up the DNS settings, i've now successfully hijacked all that ISP's traffic to said $bank & can do all manner of nasty things. This is a serious flaw waiting to be exploited & ISP's need to take it seriously & fix it. Words are my own ... not my employers yada yada yada. Quintin -- Email: quintin(a)sitehost.co.nz Auckland: +64 (09) 974 2182 Wellington: +64 (04) 974 4325 Nationwide: +64 0800 484 537