[HN Gopher] Top Ten Most Frequent DNS Test Failures
___________________________________________________________________
Top Ten Most Frequent DNS Test Failures
Author : jarreed0
Score : 17 points
Date : 2023-08-21 19:40 UTC (3 hours ago)
(HTM) web link (dnsinstitute.com)
(TXT) w3m dump (dnsinstitute.com)
| ShadowBanThis01 wrote:
| Here's a nitpick for y'all to downvote: "Top" and "most" don't
| belong in the same title. It's just the "ten most frequent DNS
| test failures." "Top" is redundant.
| colmmacc wrote:
| This is an odd set of tests.
|
| Apart from the negative cache value, none of the numbers in a SOA
| record matter at all unless you're doing very old-school
| secondary DNS setups with AXFR/IXFR, usually with Bind or maybe
| NSD. That's rare these days, and not very secure. You really
| shouldn't use that.
|
| A TTL of 30 minutes is a _terrible_ idea if you 're using DNS for
| failover with health checks, or load balancing, and a negative
| cache value of 30 minutes also seems unnecessarily long. That's a
| long time to have people impacted by a mistakenly deleted record.
|
| The CD bit being set or not doesn't matter if you're not using
| DNSSEC. Though it's probably worth getting the bit correct.
| canvascritic wrote:
| kind of an aside, but i've always been curious about how
| different DNS server implementations handle TTL outliers,
| especially given the discrepancies between recommended values and
| real-world configurations. particularly re D103900 in TFA about
| the SOA TTL recommendation, does anyone here have insights on
| dealing with the rate of stale records in caches due to
| exceptionally high TTL values? additionally, has there been any
| analysis on the impact of DNSSEC chain of trust integrity with
| long-standing SOA EXPIRE values, like the mentioned "ma" TLD's 19
| years?
___________________________________________________________________
(page generated 2023-08-21 23:01 UTC)