Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Fri Mar 18 20:48:08 UTC 2016 

So, they’re not the least bit embarrassed by their abject inability to provide reliable authoritative nameservice, eh?

In my experience, partners who have egg on their faces because they’ve recently caused major outages, tend to be more willing than usual to co-operate on ways to prevent further outages, and replicating zone data *is* the classic way to enhance its availability.

(And hopefully you understand that slaving the zone doesn’t require your nameservers to be published for them, although if you’re a “stealth slave” you might want to make special arrangements for NOTIFY, as I touched on in my previous message).

                                                                                                                                                - Kevin

[FCA_Pantone_email]
----------------------------------------------------------------------
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.darcy at fcagroup.com

From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Ron
Sent: Friday, March 18, 2016 4:41 PM
To: bind-users at lists.isc.org
Subject: Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

Slave the zone? Oh, run secondary. Fat chance.

Ron

On Fri, Mar 18, 2016 at 5:03 PM, Darcy Kevin (FCA) <kevin.darcy at fcagroup.com<mailto:kevin.darcy at fcagroup.com>> wrote:
Would they be receptive to letting you slave the zone? At least then you’d have the whole EXPIRE time before the names stopped resolving.

If they’re concerned about security, then the transfers could be locked down by source IP address, or, if their software supports it, TSIG key.

One of the downsides of slaving, of course, is that changes might take a while to replicate, unless NOTIFY is set up.

                                                                                                                                                - Kevin

[FCA_Pantone_email]
----------------------------------------------------------------------
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601<tel:%2B1%20%28248%29%20838-6601>
Mobile: +1 (810) 397-0103<tel:%2B1%20%28810%29%20397-0103>
Email: kevin.darcy at fcagroup.com<mailto:kevin.darcy at fcagroup.com>

From: bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org> [mailto:bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>] On Behalf Of Ron
Sent: Friday, March 18, 2016 4:46 AM
To: G.W. Haywood
Cc: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive



On Fri, Mar 18, 2016 at 12:12 AM, G.W. Haywood <bind at jubileegroup.co.uk<mailto:bind at jubileegroup.co.uk>> wrote:
Hi there,

On Thu, 17 Mar 2016, Ron wrote:
... in this case it's a supplier who is unable to keeps his DNS servers
working, and we just want to keep the connectivity.

I'd just put something in /etc/hosts and send myself an email every
month or so to remind me I'd done that.


This is what we're currently using, but it has the downside of not picking up ip address changes.

Ron



--

73,
Ged.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160318/b7808e6c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3764 bytes
Desc: image001.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160318/b7808e6c/attachment-0001.jpg>

More information about the bind-users mailing list