Hi Mike, > Anyone want to (gently) shoot me down....?
not really. Of course, the correct fix would be to fix the authoritative setup. You could do some research on your end to see how many requests your servers are doing towards the service provider. Maybe you run in some sort of rate limiting. On the other hand I have failed to remove my blacklisted recursor source ips from national-lottery.co.uk/nsX.camelotinteractive.com (speaking of the recursors used by gmx.net/web.de/mail.com mail system) to be able to resolve the MX records for national-lottery.co.uk. My fix was to add a forward to cloudflare/google dns for this (in my opinion bad behaving) domain to empty up the mailqueues and stop customer complaints. Cheers Thomas On 5/27/20 10:33 PM, Mike via Pdns-users wrote:
Hi, I already know Im going to get in trouble with the dns protocol police, and probably shoot myself in the foot at the same time, however.... I know of a large service provider that has foolishly put both authoritative name servers for their domain on the same subnet, and for which has occasional routing propagation issues which make it impossible to reach their domain servers from some portions of the net but not others. The services themselves, such as their MX host, continues to be accessible, but the nameservers that tell you where the MX host is, are occasionally not. I was thinking one possible valid approach, could simply be a secondary cache where pdns will move records that reach normal cache expiration. This secondary cache then attempts to re-validate records with the auth servers, and if it gets NXDOMAIN or updated data, flush or update the cache per normal. But, pdns would continue answering queries out of this secondary cache (with a low ttl), as long as it has not received any other authoritative data, at which point when it does, the entry could go back into primary cache (or remove). I don't think the size of this secondary cache would grow out of control because we're really just tracking records that we cannot a get answers about either way from their primary auth servers. I don't see where this would break anything either since, again, deletion from the cache would be due to NXDOMAIN from an auth server, either the domain auth or the root. Mike- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
