Handling of zone transfers and notify messages

Måns Nilsson mansaxel at sunet.se
Mon Oct 18 12:59:10 UTC 2004

--On måndag 18 oktober 2004 10.08 +0200 Miek Gieben <miekg at atoom.net> wrote:

> So if one zonetranser succeeds the db is rebuild. If for whatever
> reason a transfers fails, then nsd will keep on serving the old
> data.
> Is this not the desired behavior? Or am I missing something (obvious)?

This is exactly the desired behaviour if there is but one zone in the
database. If there are more than one zone I don't want a failure to load or
compile one of these zones to cause *all the other zones* to not be
rebuilt. At any given point in time the name server should serve the latest
version of all zones available, and not hang up on one being broken. I have
a machine with one zone being very critical (ccTLD) and some less but still
critical (IN-ADDR.ARPA, etc). When one of these less critical had an error
(AFSDB bug) zonec refused to rebuild and the ccTLD started to, while still
being available, hand out old data. Doubleplusbad, especially in a SLA
situation where "speed of update propagation" is both monitored and fined.

On top of this comes the issue what should be done with failed zones.
Several outcomes are possible, as has been mentioned above; 

1. go SERVFAIL, ie. remove zone.

2. go lame, ie. remove AA but serve and refuse AXFR. (BIND method up to

3. hand out old data with AA bit set and pretend it is raining. 

Nos 1 and 2 are probably more clever than 3. In effect, #3 is what is being
done today, with all the other zones in that particular nsd instance --
hence the SLA issues. 

Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20041018/d1766dc1/attachment.bin>

More information about the nsd-users mailing list