TTL Question
Mark Andrews
Mark_Andrews at isc.org
Wed Oct 17 00:40:48 UTC 2007
>
> On Wed, 17 Oct 2007, Mark Andrews wrote:
>
> >
> >>
> >> On Wed, 17 Oct 2007, Mark Andrews wrote:
> >>
> >>>
> >>>>
> >>>> What dictates how long another name server caches the authoritative name
> >>>> server for a domain? I was under the impression it was the default
> >>>> time-to-live, but I have a situation where an authoritative name server
> >>>> was removed from service several days ago, yet queries to it continue. D
> ig
> >>>> is correctly reporting the new authoritative name servers for the domain
> >>>> in question. How common is it for DNS servers to ignore the ttl?
> >>>
> >>> Because you failed to update *ALL* the servers for the zone to
> >>> have the new content. Every time a cache queries the old servers
> >>> it re-learns the old NS RRset for the zone.
> >>>
> >>> Mark
> >>>
> >> Mark,
> >>
> >> Do you know something I don't? Our registrar (Canhost) was contacted to
> >> have the DNS server removed. When I check cira.ca, that appears to have
> >> been done (it correctly lists our nameservers). Did I miss a step?
> >>
> >> -Mike
> >
> > NS records are in THREE places.
> >
> > The parent zone.
> > The new (current) servers.
> > The old servers.
> >
> > Not changing the old servers to have the new NS RRset gives
> > exactly these symptoms.
> >
> > Nameservers cache answers AND authority AND additionsal
> > sections. If you fail to update the old server to have the
> > new content then everytime the nameserver fetches data from
> > the zone it re-learns the NS RRset via the authority section.
> >
> > [The same thing can happen also with the addresses for the
> > nameservers.]
> >
> > When you change nameservers you need to ensure ALL servers
> > are giving CONSISTANT answers. Both old, new and parent.
> > Once ALL the records involved in the delegation (NS/A/AAAA)
> > with old information have timed out you can then shut down
> > the old servers.
> >
> > Mark
> >
> > ; <<>> DiG 9.3.4-P1 <<>> a McMaster.CA @baldric.cis.McMaster.CA +norec
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43303
> > ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;McMaster.CA. IN A
> >
> > ;; ANSWER SECTION:
> > McMaster.CA. 60 IN A 130.113.64.65
> >
> > ;; AUTHORITY SECTION:
> > McMaster.CA. 3600 IN NS blackadder.CIS.McMaster
> .CA.
> > McMaster.CA. 3600 IN NS baldric.CIS.McMaster.CA
> .
> >
> > ;; ADDITIONAL SECTION:
> > baldric.CIS.McMaster.CA. 3600 IN A 130.113.64.1
> > blackadder.CIS.McMaster.CA. 3600 IN A 130.113.128.1
> >
> > ;; Query time: 243 msec
> > ;; SERVER: 130.113.64.1#53(130.113.64.1)
> > ;; WHEN: Wed Oct 17 09:22:08 2007
> > ;; MSG SIZE rcvd: 128
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
> Mark, thanks. The 'dig' output above is ALL correct and those are our
> valid name servers.
>
> Let me explain a bit more. Two new external name servers were added via
> our Registrar during - let's call it an experiment gone bad - that
> immediately caused problems, our Registrar was contacted and they were
> removed (albeit a day later due to an oversight on their part). Our
> original name servers above are configured exactly as they were.
>
> Since then several sites have reported having a problem sending us mail.
> The error that I've seen in the bounce reports is something to the affect
> "Delivery expired (message too old) 'no valid ip addresses'". It's only
> affecting a few sites and I don't have enough information from them to
> know for sure that it's related, but based on the timing, it must be.
> Anyway, it's been about 4 days since the errant records were removed, and
> we are still getting complaints. I'm assuming these sites have the errant
> Name Servers cached and are not letting go, hence my question.
>
>
> -Mike
So what were the address of the nameserver you attempted to
move to?
Are they still answering for McMaster.CA?
Can you make them slaves of the current zone?
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list