Problems with bind9 caching too long
Brad Knowles
brad at stop.mail-abuse.org
Tue Mar 15 02:57:20 UTC 2005
At 6:23 PM -0800 2005-03-14, Phil Dibowitz wrote:
> Or - lets say we'd done this with a newer company, or ultradns when they were
> new... but then they started doing questionable things... so we pull their
> delegation. Except that despite _owning_ usc.edu, I can't exert any control
> over www.usc.edu once I've delegated it - even to revoke that
>delegation. This
> doesn't follow, at least in my mind.
If you own the parent zone, then you can yank the delegation for
the child zone. Wherever you point that new delegation, they are
authoritative for that information. Whatever information you may
have about that zone (beyond the NS records) is just glue and is not
authoritative.
Now, if you delegate that zone to yourself, you can be
authoritative for both the parent and the child.
Either way, once the delegation is pointed somewhere else, it
shouldn't matter what the old server operators do.
The only time you run into problems here is when the old server
operators for the child zone are also responsible for running the
parent zone, and then you get into nasty problems, as the information
for the old child zone effectively "poisons" the information that
they store in the parent zone.
The way to solve this problem is to run software that keeps
"chinese walls" between all parent zone and child zone information,
which I think is the problem that Mark alluded to.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list