The two-question reversibility test
The reflex test that sorts actions by blast radius. Different DNS operations sit at different points on the gradient; the test runs per-action, not per-shift.
The two-question test from the Foundation course is the heart of escalation judgement. Different DNS operations sit at different points on the reversibility gradient. Knowing where each one sits lets you ask the right form of the test before acting.
Before any change touching a live domain or DNS record:
- If I do this and it’s wrong, is it reversible?
- Do I understand why this is the right action, or am I copying steps?
If either answer is “no” — escalate.
The reversibility gradient in DNS
| Action | Reversibility | Risk |
|---|---|---|
| TTL value change | Fully reversible within the old TTL | Low |
| Record value edit (A, AAAA, CNAME, MX, TXT) | Reversible; propagation-bound | Minutes to hours of stale state |
| Nameserver change at registrar | Reversible; longer tail (parent NS TTL) | Hours to days of broken state |
| Domain expiry within grace | Reversible by renewal | Decays sharply with time |
| DNSSEC operation | Marginally; reversion is complex | Hours of total outage |
| Registrant change | Practically irreversible for 60 days (post-change lock) | Long-term operational lock |
| Domain past pending delete | Irreversible | Gone |
Applying the test by reversibility
What this is NOT
- “All DNS edits are low-risk because the panel is friendly.” The panel doesn’t distinguish between editing TTL and disabling DNSSEC; both are clicks. The blast radius does distinguish them.
- “The senior said do it is sufficient why.” For high-blast-radius actions, the why should be written down and the sign-off should be explicit. Verbal just go ahead is fine for routine; not for DNSSEC, registrant changes, or other near-irreversible actions.
- “Apply the test once per shift.” The test runs per-action, not per-shift. Each change gets the two questions.
Worked decision
A senior pings: client says they want DNSSEC off on example.com so they can transfer DNS to a new host. Just remove the DS records at the registrar and change nameservers — should be quick.
The two-question test applied: reversible? Marginally for DNSSEC; consequence of getting it wrong is the zone-dark scenario for hours. Why? Senior said do it — not sign-off-shaped, not following the documented safe-disable sequence.
The constructive reply: DNSSEC disable then immediate nameserver change is the cardinal sin from lesson 06 — it skips the DS-TTL wait. The safe sequence is: remove DS, wait the DS TTL (24-48 hours), verify the zone is insecure, then change nameservers. Can I run the safe sequence and get your sign-off in writing on the safe-disable step?
You’re not refusing the work; you’re flagging that the action is in the high-blast-radius column and requesting the right form of authority. That’s the test working as intended.