DNS TTLs revisited
Kevin Darcy
kcd at daimlerchrysler.com
Fri Feb 6 01:11:19 UTC 2004
Robert Gahl wrote:
>At 04:02 PM 2/5/2004, Barry Margolin wrote:
>
>
>
>>In article <bvuho7$2ath$1 at sf1.isc.org>, Robert Gahl <bgahl at bawcsa.org>
>>wrote:
>>
>>
>>
>>>Thus my question: Do earlier versions of BIND lack the ability to
>>>
>>>
>>recognize
>>
>>
>>>the specific setting of TTLs on individual hosts?
>>>
>>>
>>This is a meaningless question. That's the *only* place that TTLs
>>exist. If they didn't recognize this, they wouldn't recognize TTLs at
>>all, since there are no other TTLs to recognize.
>>
>>
>
>I'm sorry it is meaningless. It was the only way I knew to phrase it.
>
>
>
>>The "default TTL" of the zone is not communicated at all in the DNS
>>protocol, it's only a syntactic convenience used when named parses the
>>zone file. There's absolutely no way for a client of the server to tell
>>the difference between explicit per-record TTLs and TTLs inherited from
>>the default.
>>
>>
>
>Thanks. This does help me understand it a bit better.
>
>
>
>>Are you sure that your changes have propagated to all your slave
>>servers? And how long after you changed the TTL on the record did you
>>do your tests? If it was less than the old TTL, then you're just seeing
>>records that are still in the caches, because the old TTL allowed them
>>to stay around for a day.
>>
>>
>
>I haven't made a change in months (until today). That is what is so
>confusing. Here is an example (and, granted, it isn't like running "dig" on
>a remote site, but you'll get the idea):
>
>
>
>>web <bgahl>: dig ssl-hints.netflame.cc
>>
>>; <<>> DiG 8.2 <<>> ssl-hints.netflame.cc
>>;; res options: init recurs defnam dnsrch
>>;; got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>>;; QUERY SECTION:
>>;; ssl-hints.netflame.cc, type = A, class = IN
>>
>>;; ANSWER SECTION:
>>ssl-hints.netflame.cc. 30S IN A 63.146.119.84
>>
>>;; AUTHORITY SECTION:
>>netflame.cc. 18h26m5s IN NS ns2.netflame.cc.
>>netflame.cc. 18h26m5s IN NS ns1.netflame.cc.
>>
>>;; ADDITIONAL SECTION:
>>ns1.netflame.cc. 18h26m5s IN A 65.200.204.52
>>ns2.netflame.cc. 24m25s IN A 63.146.119.80
>>
>>;; Total query time: 5 msec
>>;; FROM: web to SERVER: default -- 63.146.119.75
>>;; WHEN: Thu Feb 5 16:39:43 2004
>>;; MSG SIZE sent: 39 rcvd: 123
>>
>>
>
>This is correct. It is what I expect. However, go to this link:
>
>http://ntcanuck.com/net/tools/dig/index.php?dns=&qry=ssl-hints.netflame.cc&cls=IN&typ=ANY&cmdQuery=Query
>
>It sure doesn't say 30 seconds.
>
You have both a CNAME record and an A record for ssl-hints.netflame.cc.
That's illegal.
Also, it looks like you accidentally reduced the TTL on your NS records
to 30 seconds. Bad.
% dig ssl-hints.netflame.cc any @ns2.netflame.cc
; <<>> DiG 9.2.2rc1 <<>> ssl-hints.netflame.cc any @ns2.netflame.cc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16742
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ssl-hints.netflame.cc. IN ANY
;; ANSWER SECTION:
ssl-hints.netflame.cc. 30 IN CNAME ssl-log.netflame.cc.
;; AUTHORITY SECTION:
netflame.cc. 30 IN NS ns1.netflame.cc.
netflame.cc. 30 IN NS ns2.netflame.cc.
;; ADDITIONAL SECTION:
ns1.netflame.cc. 86400 IN A 65.200.204.52
ns2.netflame.cc. 86400 IN A 63.146.119.80
;; Query time: 61 msec
;; SERVER: 63.146.119.80#53(ns2.netflame.cc)
;; WHEN: Thu Feb 5 20:08:34 2004
;; MSG SIZE rcvd: 129
- Kevin
More information about the bind-users
mailing list