North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
- From: bmanning
- Date: Wed Dec 14 11:55:59 2005
On Wed, Dec 14, 2005 at 10:02:56AM -0500, Joe Abley wrote:
> On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote:
> >In message
> ><email@example.com>, Sam Cr
> >ooks writes:
> >>I would think you would want to drop your DNS record TTLs for all
> >>domains being moved to something very low several days before the
> >>switch-over period.
> >More precisely, you want to change the TTL on the NS records, which
> >in the parent zone. If you're keeping the name but changing the
> >address, worry about the A records, too.
> You also want to check all the registries which are superordinate to
> zones your server is authoritative for, and check that any IP
> addresses stored in those registries for your nameserver are updated,
> otherwise you will experience either immediate or future glue madness.
> A conservative approach to this kind of transition is to arrange for
> your nameserver (or different nameservers hosting the same data) to
> respond on both the old and new addresses, and to continue in that
> mode until you see no queries directed at the old address for some
> safe-seeming interval (bearing in mind TTLs and cached records,
> alluded to by Steven and Sam).
currently in the middle of such a safe, conservative
transition leads me to believe that there will -NEVER-
be a point w/ there are no queries to the old address.
(he says, 24 months into a transition...) The right
tactic is to make the change, based on 2x the TTL of the SOA.