In message <caaf6gdebo-4xmwe_xzzu2b4fefj5qwftic3grzxa1gbxdqf...@mail.gmail.com> , =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= writes: > On Thu, Sep 11, 2014 at 4:28 PM, Mark Andrews <ma...@isc.org> wrote: > > Actually timeout is much, much, much worse. > > When I experiment empirically there seem to be caches that will fail > the resolution if one of the auth servers returned REFUSED or > SERVFAIL. Different numbers for each, but both trigger it. Meanwhile > timeouts do cause delay, but a greater percentage of resolutions > succeed.
Which indicates broken recursive servers. Recursive servers should be expecting misconfigured authoritative servers. You don't stuff up authoritative behaviour because you have broken recursive servers. > > Delegation should never succeed unless you can get a SOA response > > for the zone being delegated from the nameservers being delegated > > to. > > Of course, but that's not what .is do. They check for a completely > different name first, not in the zone being delegated, and expect to > see an error. So they are doing a additional test to the ones I listed. I have no problem with them checking this however this should be cached and only rechecked periodically along with delegation checks and EDNS compliance checks. The basic "are you serving this zone" check should be done for every delegation. EDNS compliance and basic response checks I would make monthly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
