How to override too-short TTL?

Simon Waters Simon at wretched.demon.co.uk
Mon Aug 20 20:47:56 UTC 2001 

Daemeon Reiydelle wrote:
>
>thought I would see if I missed a config values somewhere/somehow.

There are sensible (well fairly sensible) uses of very low TTL
for DNS resource records, so perhaps the reason you found it
hard to uncover how to do this is that it isn't such a good
idea.

Besides the DNS traffic is (typically) small compared to modern
web traffic, even if some people are rather wasteful with the
bandwidth, and round trip times do accumulate.

EBAY.COM

Not quite sure which EBAY records you think have a TTL of 1 to 2
minutes. Most I've seen have at least 3600 seconds (which whilst
fairly low isn't unreasonably so).

"DOC" notes that ebay.com lists ns1.best.com in delegation, but
it isn't serving ebay.com. It also notes that not all the name
servers are listed in the delegation.

EXODUS.NET (Provide some DNS service to EBAY amongst other
things no doubt).

The Exodus name servers have 900 seconds TTL records - this does
seem rather low. If I were a betting man I'd assume they were
omitting the $TTL records at the start of each zone file, since
they are using BIND 8.2.3-REL the SOA negative time to live (For
which 900 seconds sounds much more sensible!) will be used as
the default TTL for all records lacking an explicit TTL.

This observation is strongly supported by the SOA record from
exodus.net *8-)

DICE.COM

The DICE name servers have both delegation issues, and the same
TTL issue as EXODUS (Except their negative TTL is 300 seconds so
it's even worse).

Curiously while they have off network DNS servers they haven't
listed any of them in their delegation records at the
gtld-servers, so that won't help much when the unpleasant smelly
stuff hits the supporter.


My suspicion is quite a lot of these problems are a hang over
from the BIND tsig bug - people had to upgrade quickly to
8.2.3-REL, and not all the finer points were dealt with (Well
I'm not sure default TTL is a finer point of DNS, but it is
easily overlooked if your in a hurry).

Since I suspect the errors you dislike are oversights - I've
copied the relevant administrators - which, if they fix it, you
have to agree is a better solution than you fiddling with the
BIND source code.

Of course in a better world they would be running BIND 9 and DNS
Expert, and they wouldn't have these problems, but then in a
perfect world they would all pay me huge sums of money to audit
their Internet configurations *8-)

	Simon 
-- 
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework

More information about the bind-users mailing list