TTL Question

Mark Andrews Mark_Andrews at isc.org
Wed Oct 17 00:40:48 UTC 2007 

> 
> On Wed, 17 Oct 2007, Mark Andrews wrote:
> 
> >
> >>
> >> On Wed, 17 Oct 2007, Mark Andrews wrote:
> >>
> >>>
> >>>>
> >>>> What dictates how long another name server caches the authoritative name
> >>>> server for a domain? I was under the impression it was the default
> >>>> time-to-live, but I have a situation where an authoritative name server
> >>>> was removed from service several days ago, yet queries to it continue. D
> ig
> >>>> is correctly reporting the new authoritative name servers for the domain
> >>>> in question. How common is it for DNS servers to ignore the ttl?
> >>>
> >>> 	Because you failed to update *ALL* the servers for the zone to
> >>> 	have the new content.  Every time a cache queries the old servers
> >>> 	it re-learns the old NS RRset for the zone.
> >>>
> >>> 	Mark
> >>>
> >> Mark,
> >>
> >> Do you know something I don't? Our registrar (Canhost) was contacted to
> >> have the DNS server removed. When I check cira.ca, that appears to have
> >> been done (it correctly lists our nameservers). Did I miss a step?
> >>
> >> -Mike
> >
> > 	NS records are in THREE places.
> >
> > 		The parent zone.
> > 		The new (current) servers.
> > 		The old servers.
> >
> > 	Not changing the old servers to have the new NS RRset gives
> > 	exactly these symptoms.
> >
> > 	Nameservers cache answers AND authority AND additionsal
> > 	sections.  If you fail to update the old server to have the
> > 	new content then everytime the nameserver fetches data from
> > 	the zone it re-learns the NS RRset via the authority section.
> >
> > 	[The same thing can happen also with the addresses for the
> > 	nameservers.]
> >
> > 	When you change nameservers you need to ensure ALL servers
> > 	are giving CONSISTANT answers. Both old, new and parent.
> > 	Once ALL the records involved in the delegation (NS/A/AAAA)
> > 	with old information have timed out you can then shut down
> > 	the old servers.
> >
> > 	Mark
> >
> > ; <<>> DiG 9.3.4-P1 <<>> a McMaster.CA @baldric.cis.McMaster.CA +norec
> > ; (1 server found)
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43303
> > ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;McMaster.CA.			IN	A
> >
> > ;; ANSWER SECTION:
> > McMaster.CA.		60	IN	A	130.113.64.65
> >
> > ;; AUTHORITY SECTION:
> > McMaster.CA.		3600	IN	NS	blackadder.CIS.McMaster
> .CA.
> > McMaster.CA.		3600	IN	NS	baldric.CIS.McMaster.CA
> .
> >
> > ;; ADDITIONAL SECTION:
> > baldric.CIS.McMaster.CA. 3600	IN	A	130.113.64.1
> > blackadder.CIS.McMaster.CA. 3600 IN	A	130.113.128.1
> >
> > ;; Query time: 243 msec
> > ;; SERVER: 130.113.64.1#53(130.113.64.1)
> > ;; WHEN: Wed Oct 17 09:22:08 2007
> > ;; MSG SIZE  rcvd: 128
> >
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
> 
> Mark, thanks. The 'dig' output above is ALL correct and those are our 
> valid name servers.
> 
> Let me explain a bit more. Two new external name servers were added via 
> our Registrar during - let's call it an experiment gone bad - that 
> immediately caused problems, our Registrar was contacted and they were 
> removed (albeit a day later due to an oversight on their part). Our 
> original name servers above are configured exactly as they were.
> 
> Since then several sites have reported having a problem sending us mail. 
> The error that I've seen in the bounce reports is something to the affect 
> "Delivery expired (message too old) 'no valid ip addresses'". It's only 
> affecting a few sites and I don't have enough information from them to 
> know for sure that it's related, but based on the timing, it must be. 
> Anyway, it's been about 4 days since the errant records were removed, and 
> we are still getting complaints. I'm assuming these sites have the errant 
> Name Servers cached and are not letting go, hence my question.
> 
> 
> -Mike

	So what were the address of the nameserver you attempted to
	move to?
	Are they still answering for McMaster.CA?  
	Can you make them slaves of the current zone?

	Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list