RE: Gothcas of changing the IP Address of an Authoritative DNS Server
> From: "Ejay Hire" <[EMAIL PROTECTED]> > To: "'Eric Kagan'" <[EMAIL PROTECTED]>, > Subject: RE: Gothcas of changing the IP Address of an Authoritative DNS Server > Date: Wed, 14 Dec 2005 13:15:42 -0600 > > > assuming you've got the old box and the new one running > concurrently, you could run tcpdump on the old box with a > filter to only catch dns requests to the old ip. Let it run > for 24-48 hours and you could see who/what was still > querying the old ip. This topic comes up frequently on [EMAIL PROTECTED] ... Might query there but many of these responses have covered much of what is discussed there. Regards, Gregory Hicks > > -e > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On > > Behalf Of Eric Kagan > > Sent: Tuesday, December 13, 2005 2:45 PM > > To: nanog@merit.edu > > Subject: Gothcas of changing the IP Address of an > > Authoritative DNS Server > > > > We need to move our Primary DNS server from legacy IP > space > > provided by our upstreams to our ARIN Assigned IP space. > I > > am looking for advice and any gotchas. I couldn't find > any > > white papers to this affect or archived articles or > postings. > > If someone does have a resource for this or find this > could > > be valuable, I can certainly gather all the info and > document > > it. Most of the Registrars I have seen now use the > > Authoritative DNS Server Host names for the domain name > > registrations vs the IP Address. For most of our > customers, > > we register and host the DNS. I have confirmed almost all > > > the customers have either Network Solutions, Tucows, Go > Daddy > > and Register.com. > > > > Can I simply change the IP address of our DNS server and > > update the DNS Host Record with our registrar with the new > IP > > and any A / NS records we have ? As long as other > customers > > domains have our DNS Server FQDN as the Host, they should > not > > need to make any changes, correct ? I would love to > think > > its that simple, but there is always a gotcha. Does > anyone > > know of any main registries using just the IP Address > where > > the customer might need to go in and make those changes > for > > each and every domain ? Any input, advice or ideas is > appreciated. > > > > Thanks > > Eric > > > > > --- Gregory Hicks| Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: [EMAIL PROTECTED] I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. "A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision." - Benjamin Franklin "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
RE: Gothcas of changing the IP Address of an Authoritative DNS Server
assuming you've got the old box and the new one running concurrently, you could run tcpdump on the old box with a filter to only catch dns requests to the old ip. Let it run for 24-48 hours and you could see who/what was still querying the old ip. -e > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Kagan > Sent: Tuesday, December 13, 2005 2:45 PM > To: nanog@merit.edu > Subject: Gothcas of changing the IP Address of an > Authoritative DNS Server > > We need to move our Primary DNS server from legacy IP space > provided by our upstreams to our ARIN Assigned IP space. I > am looking for advice and any gotchas. I couldn't find any > white papers to this affect or archived articles or postings. > If someone does have a resource for this or find this could > be valuable, I can certainly gather all the info and document > it. Most of the Registrars I have seen now use the > Authoritative DNS Server Host names for the domain name > registrations vs the IP Address. For most of our customers, > we register and host the DNS. I have confirmed almost all > the customers have either Network Solutions, Tucows, Go Daddy > and Register.com. > > Can I simply change the IP address of our DNS server and > update the DNS Host Record with our registrar with the new IP > and any A / NS records we have ? As long as other customers > domains have our DNS Server FQDN as the Host, they should not > need to make any changes, correct ? I would love to think > its that simple, but there is always a gotcha. Does anyone > know of any main registries using just the IP Address where > the customer might need to go in and make those changes for > each and every domain ? Any input, advice or ideas is appreciated. > > Thanks > Eric > >
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On Wed, Dec 14, 2005 at 10:29:52AM -0500, Joe Abley wrote: > There are registries that store A records for nameservers that aren't > subordinate to the zones they publish. While it'd be probably And for those that don't...some administrators (your predecessor hostmaster? the admin of zones you slave?) work around the problems of lack of cross-zone glue by giving one nameserver's single IP address multiple names, and therefore glue in multiple registries. So it's still wise to look either way. > problems; however, see paranoia, above. It's not paranoia. They really are out to get you. -- David W. Hankins"If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins pgptcSzecEfwz.pgp Description: PGP signature
RE: Gothcas of changing the IP Address of an Authoritative DNS Server
> On 14-Dec-05, at 10:02 AM, Joe Abley wrote: > > > > You also want to check all the registries which are superordinate > > to zones your server is authoritative for, and check that any IP > > addresses stored in those registries for your nameserver are > > updated, otherwise you will experience either immediate or future > > glue madness. > > > > A conservative approach to this kind of transition is to arrange > > for your nameserver (or different nameservers hosting the same > > data) to respond on both the old and new addresses, and to > continue > > in that mode until you see no queries directed at the old address > > for some safe-seeming interval (bearing in mind TTLs and cached > > records, alluded to by Steven and Sam). > > If you have access customers (Dial/Broadband/etc) make sure > they know > the IP for your DNS server is changing incase they hardcode IP of > your DNS server into their PCs. It might be wise to keep the old addrs as host routes on interface aliases on the same machine for simplicity sake. (Joe said that kinda). Both unix and cisco support this. You will likely not miss a beat if you're able to do this and see who's using the old addrs(hard coded) after the TTL expires - methinks. If you really care, you could chase down your hard coded users or just shut down and force them to call. The number would dictate which one I suppose. -M<
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On 14-Dec-2005, at 11:52, [EMAIL PROTECTED] wrote: currently in the middle of such a safe, conservative transition leads me to believe that there will -NEVER- be a point w/ there are no queries to the old address. (he says, 24 months into a transition...) It's probably reasonable to say that there are more historical instances of B's address being hard-coded than there are for Eric's authority server, though (and I'm guessing that he also doesn't have to answer priming queries :-) The right tactic is to make the change, based on 2x the TTL of the SOA. Joe
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On Wed, Dec 14, 2005 at 10:02:56AM -0500, Joe Abley wrote: > > > On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote: > > >In message > ><[EMAIL PROTECTED]>, Sam Cr > >ooks writes: > >> > >>I would think you would want to drop your DNS record TTLs for all > >>domains being moved to something very low several days before the > >>switch-over period. > > > >More precisely, you want to change the TTL on the NS records, which > >are > >in the parent zone. If you're keeping the name but changing the > >address, worry about the A records, too. > > You also want to check all the registries which are superordinate to > zones your server is authoritative for, and check that any IP > addresses stored in those registries for your nameserver are updated, > otherwise you will experience either immediate or future glue madness. > > A conservative approach to this kind of transition is to arrange for > your nameserver (or different nameservers hosting the same data) to > respond on both the old and new addresses, and to continue in that > mode until you see no queries directed at the old address for some > safe-seeming interval (bearing in mind TTLs and cached records, > alluded to by Steven and Sam). currently in the middle of such a safe, conservative transition leads me to believe that there will -NEVER- be a point w/ there are no queries to the old address. (he says, 24 months into a transition...) The right tactic is to make the change, based on 2x the TTL of the SOA. --bill > > > Joe
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On 14-Dec-2005, at 10:17, Joe Maimon wrote: Joe Abley wrote: You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. I thought that would be only ONE registrar, hosting the ONE zone that contains the nameserver A record. Unless you are in the habit of having domains registered with their own nameserver glue and pointing it at the same IP address. Didnt registrars not allow that? There are registries that store A records for nameservers that aren't subordinate to the zones they publish. While it'd be probably reasonable to assume that such registries wouldn't ever be able to publish glue records which would cause operational problems (since they'd be out-of-zone), in reality there's a substantial amount of hokey DNS software in use out there and you can never quite predict what will happen with absolute accuracy. For my money, I'd err on the side of paranoia, and ensure that any registry that had the old address stored in its database got the new data, even if the old address isn't published in that registry's zone today. You're absolutely correct, however, that in an ideal world you'd only have to worry about the registry which is superordinate to the name of the authority server in question. It's quite possible that assuming the world is ideal in this case will not cause substantial problems; however, see paranoia, above. Joe
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On 14-Dec-05, at 10:02 AM, Joe Abley wrote: You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. A conservative approach to this kind of transition is to arrange for your nameserver (or different nameservers hosting the same data) to respond on both the old and new addresses, and to continue in that mode until you see no queries directed at the old address for some safe-seeming interval (bearing in mind TTLs and cached records, alluded to by Steven and Sam). If you have access customers (Dial/Broadband/etc) make sure they know the IP for your DNS server is changing incase they hardcode IP of your DNS server into their PCs.
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
Joe Abley wrote: You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. I thought that would be only ONE registrar, hosting the ONE zone that contains the nameserver A record. Unless you are in the habit of having domains registered with their own nameserver glue and pointing it at the same IP address. Didnt registrars not allow that?
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
On 13-Dec-2005, at 16:28, Steven M. Bellovin wrote: In message <[EMAIL PROTECTED]>, Sam Cr ooks writes: I would think you would want to drop your DNS record TTLs for all domains being moved to something very low several days before the switch-over period. More precisely, you want to change the TTL on the NS records, which are in the parent zone. If you're keeping the name but changing the address, worry about the A records, too. You also want to check all the registries which are superordinate to zones your server is authoritative for, and check that any IP addresses stored in those registries for your nameserver are updated, otherwise you will experience either immediate or future glue madness. A conservative approach to this kind of transition is to arrange for your nameserver (or different nameservers hosting the same data) to respond on both the old and new addresses, and to continue in that mode until you see no queries directed at the old address for some safe-seeming interval (bearing in mind TTLs and cached records, alluded to by Steven and Sam). Joe
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
In message <[EMAIL PROTECTED]>, Sam Cr ooks writes: > >I would think you would want to drop your DNS record TTLs for all >domains being moved to something very low several days before the >switch-over period. More precisely, you want to change the TTL on the NS records, which are in the parent zone. If you're keeping the name but changing the address, worry about the A records, too. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Gothcas of changing the IP Address of an Authoritative DNS Server
I would think you would want to drop your DNS record TTLs for all domains being moved to something very low several days before the switch-over period. On 12/13/05, Eric Kagan <[EMAIL PROTECTED]> wrote: > > We need to move our Primary DNS server from legacy IP space provided by our > upstreams to our ARIN Assigned IP space. I am looking for advice and any > gotchas. I couldn't find any white papers to this affect or archived > articles or postings. If someone does have a resource for this or find this > could be valuable, I can certainly gather all the info and document it. > Most of the Registrars I have seen now use the Authoritative DNS Server Host > names for the domain name registrations vs the IP Address. For most of our > customers, we register and host the DNS. I have confirmed almost all the > customers have either Network Solutions, Tucows, Go Daddy and Register.com. > > Can I simply change the IP address of our DNS server and update the DNS Host > Record with our registrar with the new IP and any A / NS records we have ? > As long as other customers domains have our DNS Server FQDN as the Host, > they should not need to make any changes, correct ? I would love to think > its that simple, but there is always a gotcha. Does anyone know of any main > registries using just the IP Address where the customer might need to go in > and make those changes for each and every domain ? Any input, advice or > ideas is appreciated. > > Thanks > Eric >
Gothcas of changing the IP Address of an Authoritative DNS Server
Title: Message We need to move our Primary DNS server from legacy IP space provided by our upstreams to our ARIN Assigned IP space. I am looking for advice and any gotchas. I couldn't find any white papers to this affect or archived articles or postings. If someone does have a resource for this or find this could be valuable, I can certainly gather all the info and document it. Most of the Registrars I have seen now use the Authoritative DNS Server Host names for the domain name registrations vs the IP Address. For most of our customers, we register and host the DNS. I have confirmed almost all the customers have either Network Solutions, Tucows, Go Daddy and Register.com. Can I simply change the IP address of our DNS server and update the DNS Host Record with our registrar with the new IP and any A / NS records we have ? As long as other customers domains have our DNS Server FQDN as the Host, they should not need to make any changes, correct ? I would love to think its that simple, but there is always a gotcha. Does anyone know of any main registries using just the IP Address where the customer might need to go in and make those changes for each and every domain ? Any input, advice or ideas is appreciated. Thanks Eric
