On 2 May 2024, at 20:45, Peter Hessler <phessler@theapt.org> wrote:
Semi-related, and apology for the micro-managing, do you think it would make sense to lower the TTL on those zones from 1 day to something shorter during the change?
Zones don't have TTLs; RRSets have TTLs. In the case of a secondary zone the TTLs are specified by the zone administrator (and the administrator of the zone's parent for the NS and DS RRSets above the zone cut) not the administrator of the secondary server. Unless you're in an unusual hurry there's often no benefit in lowering TTLs anywhere, anyway. Ordinarily what you try to do in these situations is keep operating the secondary zone after the relevant NS RRSets have been changed until there's no remaining traffic, since there is variation in how published TTLs are implemented in downstream dependent systems and waiting for zero is better than trying to predict what that variation might be. Once you're tired of waiting for the traffic to reach zero you remove the zone and rely on the negative responses to signal that the zone has moved. When the traffic still hasn't stopped to zero long after that you retire the nameserver address and plan not to respond to DNS traffic on it ever again. Pretty sure the DNS people at the NCC already know more about all of this than most of the rest of us. Joe