Networking & Protocols
DNS: free-recall review
Retrieval beats re-reading. For each prompt, say or write a full answer from memory before you open the model answer — the effort of recall is what makes the mechanism stick when you are mid-incident.
Reconstruct the unit’s core mechanisms — the iterative resolver walk, glue, what TTL really controls, negative caching, the DNSSEC chain of trust, and how encrypted transport differs from DNSSEC — without looking back at the lessons.
- 01Walk a cold lookup of cdn.example.co.uk and explain why the resolver's queries are iterative while the client's is recursive.
- 02What is a glue record, and what breaks without it?
- 03Why is 'DNS propagation' a misleading term, and what is the correct operational SOP for a planned record change?
- 04What is negative caching, what durations govern it, and why does it matter under load?
- 05Describe the DNSSEC chain of trust, the ZSK/KSK split, and the single most common rollover failure.
- 06What does encrypted DNS (DoH/DoT/DoQ) protect, what does DNSSEC protect, and why do you need both?
If you could reconstruct each answer from memory, you hold the unit’s spine: the resolver walks iteratively root to TLD to authoritative following referrals, with glue breaking circular delegations; TTL is permission for a cache, so “propagation” is just independent expiry and planned changes start by lowering TTL; negative caching (NXDOMAIN/NODATA via SOA.MINIMUM, SERVFAIL briefly) shields the authoritative from floods; DNSSEC chains signatures from the root trust anchor through DS/KSK/ZSK, and a forgotten DS update after a KSK rollover splits users; and encrypted transport hides queries while DNSSEC authenticates answers — orthogonal, and together the defence against cache poisoning.