<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div></div><div class="gmail_quote"><div dir="ltr">On Tue, Aug 7, 2018 at 5:01 PM John Miller <<a href="mailto:johnmill@brandeis.edu">johnmill@brandeis.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hal, we've done this before - it's not particularly hard, just takes a<br>
bit for everyone to pick up the new set of NS records. You just make<br>
the change upstream and also remove the NS records that reference the<br>
system. It's kind of weird: during the interim, you'll have a running<br>
nameserver that doesn't return itself in its NS records. If the same<br>
set of servers also serves your reverse zones, don't forget to update<br>
ARIN as well as Educause.<br>
<br>
Educause sets their upstream TTLs to two days (ARIN's 1 day), but<br>
people shouldn't be caching the referral, only your actual NS records.<br>
If you're at all concerned, you can always set a low TTL ahead of time<br>
on your NS records, so everyone will pull the updated records<br>
relatively quickly once you make your changes.<br>
<br>
John<br>
<br>
On Tue, Aug 7, 2018 at 4:46 PM, King, Harold Clyde (Hal) <<a href="mailto:hck@utk.edu" target="_blank">hck@utk.edu</a>> wrote:<br>
> I don't think I made my point. I need to pull/remove a DNS nameserver from my set of nameservers.<br>
> My plan was to put the reference to it from our domain name provider. Then pull it from the list of NS records. I am not changing my SOA record. Just the nameserver. Did I make a mistake? Did you mean pull the NS reord for that server, then pull it from the name provider. I'll still have 4 servers running the SOA, and I don't plan to stop the old nameserver until well after a week of running.<br>
><br>
><br>
> --<br>
> Hal King - <a href="mailto:hck@utk.edu" target="_blank">hck@utk.edu</a><br>
> Systems Administrator<br>
> Office of Information Technology<br>
> Shared Systems Services<br></blockquote><div><br></div><div>If I remember correctly, setting my NS ttl lower than my parent caused a problem when one of my servers failed and I took it out of the NS record set. I think it went something like this:</div><div><br></div><div>resolver asks tld (before the change) and gets:</div><div><a href="http://example.com">example.com</a> 2d NS <a href="http://dns1.example.com">dns1.example.com</a></div><div><a href="http://example.com">example.com</a> 2d NS <a href="http://dns2.example.com">dns2.example.com</a><br></div><div><a href="http://example.com">example.com</a> 2d NS <a href="http://dns3.example.com">dns3.example.com</a><br></div><div><br></div><div>dns3 fails and I remove it from the NS records, both locally and at the parent TLD.</div><div><br></div><div>Resolver talks to my servers (a few hours later, after the change) and gets:</div><div><div><a href="http://example.com">example.com</a> 1h NS <a href="http://dns1.example.com">dns1.example.com</a></div><div><a href="http://example.com">example.com</a> 1h NS <a href="http://dns2.example.com">dns2.example.com</a><br></div><div><br></div></div><div>Resolver cache now has:</div><div><div><a href="http://example.com">example.com</a> 1h NS <a href="http://dns1.example.com">dns1.example.com</a></div><div><a href="http://example.com">example.com</a> 1h NS <a href="http://dns2.example.com">dns2.example.com</a><br></div><div><a href="http://example.com">example.com</a> 2d NS <a href="http://dns3.example.com">dns3.example.com</a><br></div></div><div><br></div><div>An hour later the two shorter NS records expire and the resolver is left with:</div><div><a href="http://example.com">example.com</a> 2d NS <a href="http://dns3.example.com">dns3.example.com</a><br></div><div><br></div><div>If <a href="http://dns3.example.com">dns3.example.com</a> is down, the resolver will fail to reach my zone, and will not ask the TLD until that record expires.</div><div><br></div><div>So I think the TTL on NS records needs to match the parent zone, whether I like that ttl or not.</div><div><br></div><div>In your case, removing the NS records from both your zone and the parent zone, two days (or whatever the ttl) before you turn off the server, should be fine.</div><div><br></div><div>-- </div><div>Bob Harold</div><div><br></div></div></div>