How exactly did you set up this fail over scheme? You run your own instance of bind. And I'm amusing your listing your domains NS records as your own, and another parties (e.g. cloudflare, etc)?
I’m not running BIND. I got tired of that program. Right now I’m using PowerDNS. Quite a bit overkill, but that server is extremely lightly loaded.
I’m not using CloudFlare, either. That’s the point. If I use CloudFlare CDN, then I depend on CloudFlare’s DNS servers.
The way it works is that DNS servers often have a master/slave relationship. The master sends all the records to the slave once in a while. What you’re supposed to do is list your own server and another server as two separate NS records, and then any client can contact either server for any record. What I’m doing is a hidden master setup. Neither NS record refers to the master, but both point to separate slaves.
There are some downsides. You must assume that any record is public, not private. DNSSEC white lies[0] (and black lies[1]) are not available. And it’s more difficult to use a CDN. But I’m not running a web site right now, so that doesn’t matter to me.
I’m not using CloudFlare, either. That’s the point. If I use CloudFlare CDN, then I depend on CloudFlare’s DNS servers.
The way it works is that DNS servers often have a master/slave relationship. The master sends all the records to the slave once in a while. What you’re supposed to do is list your own server and another server as two separate NS records, and then any client can contact either server for any record. What I’m doing is a hidden master setup. Neither NS record refers to the master, but both point to separate slaves.
There are some downsides. You must assume that any record is public, not private. DNSSEC white lies[0] (and black lies[1]) are not available. And it’s more difficult to use a CDN. But I’m not running a web site right now, so that doesn’t matter to me.
[0] https://blog.cloudflare.com/dnssec-complexities-and-consider...
[1] https://blog.cloudflare.com/black-lies/