Problems with bind9 caching too long

Fred Viles fv+abuse at nospam.usen.epitools.com
Tue Mar 15 23:29:24 UTC 2005 

Phil Dibowitz <phil at usc.edu> wrote in
news:d17jlh$2163$1 at sf1.isc.org: 

>...
> No - that's my point... the TTL of the NS records isn't being
> obeyed!

But that's wrong.  It's not that the TTL isn't being obeyed, it's 
that the TTL of the NS records isn't being exceeded.  Every time a 
caching server makes a query for any name in the domain to the 
authoritative server, it gets a fresh copy of the authoritative NS 
records and starts a fresh TTL countdown.

When you change the (NON-authoritative) delegation records in the 
parent zone, resolvers that still have authoritative copies of the 
previous NS records in cache will (correctly!) query the old 
servers.  If the old servers continue to respond authoritatively 
with INCORRECT data (the old NS records), then every time the 
resolver makes a query in that zone it will get a fresh copy of the 
incorrect, but AUTHORITATIVE, NS records and the TTL countdown will 
(correctly!) start over.

This will continue until a full TTL interval passes with no new 
queries being made, so the incorrect NS records can finally expire 
from cache.  

This is a misconfiguration of the authoritative servers, not a 
misbehavior of the caching resolver.

> (OK, well with the new patch in BIND it is).

IMHO, the patch does not fix a bug in BIND.  It implements an 
objectionable hack to work around a misconfiguration created all 
too frequently by incompetent and careless DNS administrators.

> Once again:
> 
> parent.tld has:
>    child.parent.tld 27000 IN NS ns.child.parent.tld
> 
> once BIND has seen that (BIND pre-patch), it will keep that
> delgation *indefinitely*

On the contrary, it keeps it only as long as it takes to fetch an 
authoritative RRset from an authoritative server.

> as long as requests keep requesting
> information on child.parent.tld AND ns.child.parent.tld
> continues to answer for child.parent.tld. It won't expire that
> NS record from parent.tld until ns.child.parent.tld stops
> talking about child or no requests come into the caching bind
> for 2 weeks. 

First, 27000 is 7.5 hours.  Second, 27000 is irrelevant.  What's 
relevant is the TTL of the authoritative NS records fetched from 
ns.child.parent.tld (which is two days in your case).

>...

- Fred

More information about the bind-users mailing list