My apologies for the generic topic title.

At work I inherited responsibility for the name and DNS servers. I want to understand some things about our setup.

There are three name servers, the primary/master ns1 and secondary/slaves ns2, ns3. There are two caching servers, dns1 and dns2.

* How does ns1 notify the root servers of changes? The BIND admin manual mentions notification of secondary/slaves but not of anything upstream.

* How do the caching servers get notified of local name server changes?

* What is a reasonable expectation for local name server changes to propagate throughout the global DNS infrastructure?

* How do the big public DNS servers update themselves (Google, OpenDNS, Cloudfare, etc.)?

I presume the root servers are notified concurrently with the slaves. I just don't see the knee bone connection to the thigh bone. I am aware of the "root hints" file. I presume that list is used to notify root servers.

My guess with how the caching servers get "notified" is the normal lookup process. The caching servers ask the root servers for an authoritative server for the domain. The root servers reply that our own ns1 is the authoritative server and ns2/ns3 are secondaries -- ask those servers for the lookup. The caching servers ask our name server for the domain name and updates its cache.

With the caching servers, is there a way to avoid the long round trip to through the root servers? To configure the caching servers to request directly rather than through the root servers?

RTFM: I am reading through the BIND admin manual and the Zytrax web site. If my questions are answered there please just point me to the correct page.

Thanks again.

I'm a bit fuzzy on the whole master/slave thing, but I think the master knows what his slave(s) are, and pushes changes to them. Slaves are configured to only accept changes from their master. I think.

A domain registrar/registration contains the name of the authoritative name server for that domain. That's the root of the relationship between a domain name and its name server. Like you, I'm not sure where things go from there, route-wise, tho.

So, if one wants to change the name server(s) used for a domain, the change is made on the domain registration. The usual caveat is that it takes "up to 72 hours" for that change to propagate. I've known propagation to happen in as few as 30 minutes, however.

If one makes a change in the authoritative name server, say to add a sub-domain or change the IP address of an A record, that change is virtually instantaneous, in my experience, because such changes are accompanied by a change of the serial number of the record, which alerts the name server system that there's a change to be picked up, as I understand it. If the name server I'm using is slow to pick up those changes, there can be a delay, but both the name server at my data center and Cox's name servers at home get those within minutes.

I'm a wee bit exhausted from searching, but after digging around the web I think I can answer some of my questions.

How does [our local primary/master] ns1 notify the root servers of changes?

There is no notification. The primary notifies only those servers configured to be notified, which for most people will only be secondary/slave servers. The root servers provide domain lookups only for the root zone. Otherwise the root servers reply only with the respective TLD name server, which replies with the names of authoritative servers for the requested domain.

How do the caching servers get notified of local name server changes?
They don't -- at least not directly like the secondary/slave servers. A caching server requests domain name information from a root server. The root server replies with the respective TLD server, which replies with the names of our authoritative local name servers, ns1, ns2, and ns3. The caching server then requests the information from one of those servers. In a way this seems inefficient to make this long round trip when the final authoritative servers are in the same infrastructure, but the process is remarkably fast. Possibly there is a way to configure local caching servers to contact local authoritative servers directly without the longer round trip.

Side notes.

Originally I thought caching server requests are always made to a primary authoritative server. Reading around the web indicates the respective name server is chosen randomly. I notice when I use dig or nslookup to request our domain name server information, the three name servers are listed in a different order much of the time. The ns1 server is not always listed first. From that list the caching server begins requesting information and times out if the first selected name server fails to respond timely. I don't know the length of the timeout.

My speculation is the root servers return the list of authoritative name servers in a random order to help prevent overloading the primary name server.

What is a reasonable expectation for local name server changes to propagate throughout the global DNS infrastructure?
I got sidetracked here. My reference point was not changing the registration of a site, which might take 24-48 hours to propagate, but only local zone changes. Those changes are immediate because of the way lookups are performed. If I change a zone file (and the respective serial number), the changes will be updated to the secondary/slave systems immediately. Concurrently when I make such local changes, I will restart the named service on the caching servers, which is done to force flush the cache. With the cache flushed, the next local domain lookup goes through the usual steps through the upstream root servers and the returned information is the list of local name servers. The caching server requests the information from the local name servers, and the caching server is updated.

Around the global DNS system, the same steps are used to discover the changes. Some caching servers might not perform a fresh lookup immediately, but TTL values eventually force other caching servers to request updated information. A few hours or so probably is a reasonable expectation for other servers to show the new information. I'm guessing worst case is 24 hours.

My head hurts a little.

Thanks for the excellent follow-up.

It all made my head hurt too, so I got out of the business. I manage/maintain authoritative name server entries at the service my registrar provides. I'm no longer running bind myself.

Too bad I can't just ship you my nearly untouched copy of O'Reilly's "DNS and BIND"