Problems with bind9 caching too long
Fred Viles
fv+abuse at nospam.usen.epitools.com
Tue Mar 15 23:29:24 UTC 2005
Phil Dibowitz <phil at usc.edu> wrote in
news:d17jlh$2163$1 at sf1.isc.org:
>...
> No - that's my point... the TTL of the NS records isn't being
> obeyed!
But that's wrong. It's not that the TTL isn't being obeyed, it's
that the TTL of the NS records isn't being exceeded. Every time a
caching server makes a query for any name in the domain to the
authoritative server, it gets a fresh copy of the authoritative NS
records and starts a fresh TTL countdown.
When you change the (NON-authoritative) delegation records in the
parent zone, resolvers that still have authoritative copies of the
previous NS records in cache will (correctly!) query the old
servers. If the old servers continue to respond authoritatively
with INCORRECT data (the old NS records), then every time the
resolver makes a query in that zone it will get a fresh copy of the
incorrect, but AUTHORITATIVE, NS records and the TTL countdown will
(correctly!) start over.
This will continue until a full TTL interval passes with no new
queries being made, so the incorrect NS records can finally expire
from cache.
This is a misconfiguration of the authoritative servers, not a
misbehavior of the caching resolver.
> (OK, well with the new patch in BIND it is).
IMHO, the patch does not fix a bug in BIND. It implements an
objectionable hack to work around a misconfiguration created all
too frequently by incompetent and careless DNS administrators.
> Once again:
>
> parent.tld has:
> child.parent.tld 27000 IN NS ns.child.parent.tld
>
> once BIND has seen that (BIND pre-patch), it will keep that
> delgation *indefinitely*
On the contrary, it keeps it only as long as it takes to fetch an
authoritative RRset from an authoritative server.
> as long as requests keep requesting
> information on child.parent.tld AND ns.child.parent.tld
> continues to answer for child.parent.tld. It won't expire that
> NS record from parent.tld until ns.child.parent.tld stops
> talking about child or no requests come into the caching bind
> for 2 weeks.
First, 27000 is 7.5 hours. Second, 27000 is irrelevant. What's
relevant is the TTL of the authoritative NS records fetched from
ns.child.parent.tld (which is two days in your case).
>...
- Fred
More information about the bind-users
mailing list