TTLs and Timeout Question

Kevin Oberman oberman at es.net
Tue Mar 29 17:52:49 UTC 2011 

> From: "listmail" <listmail at entertech.com>
> Date: Tue, 29 Mar 2011 09:58:27 -0700
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> I'm investigating the failure of a slave server during a network outage at a
> primary server.
> 
> The slave server was running and answering queries, but not delivering results
> for domains for which it is authoritative during the outage. Since the outage
> occurred in the middle of the night, I have no tests during the outage period
> and have to infer from logs and the behavior of everything that depended on
> this server.
> 
> The SOA TTL was 1 week on most zones, but the individual records had short
> TTLs, on the order of an hour. The outage lasted long enough for these shorter
> TTLs to expire.
> 
> My question is: Will a BIND slave server stop serving RRs when their
> individual TTLs have expired, or only when the SOA TTL has expired?

Bill,

You are getting issues confused. TTL is the time for a server to cache
data for which it is not authoritative. For an authoritative server TTL
is irrelevant. Also, the TTL in the SOA is the TTL for negative cache
entries, not cached data. (And, if the server is authoritative, it is
NOT cached data.)

The relevant field in the SOA is the "expire' field. If the server has
either transferred the zone from the master server or confirmed (via
serial #) that the current data is still current. If the data is
expired, the slave will stop serving it. Until then, it will serve it
and TTL has absolutely nothing to do with this.

I should note that you really need to have rational values for refresh,
retry, and expire in your SOA. I like a refresh on the order of an hour
for stable zones and 15-30 minutes for fast changing ones. I set retry
to about 15 minutes and expire to a couple of weeks.

Finally, you probably want your minimum TTL set to a fairly short time
like 15 minutes so that you will not continue to use a negative cache
entry for too long. It is fairly common for a new name to be queried
before it gets into DNS. It may get updated in just a few seconds, but
the server will continue to respond that it does not exist until the
negative cache TTL expires.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the bind-users mailing list