[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to relocate servers transparently

On Jun 20, 2004, at 9:19 AM, Fraser Campbell wrote:

On June 18, 2004 12:49 am, Nate Duehr wrote:

No, this isn't right.  You must lower the TTL time at a bare minimum 2 * (Current TTL) ahead of time.  Why?  Because nameservers out in the real
world will not even query your nameservers again until the TTL has
expired, meaning that if you change it today, the FIRST time another
nameserver that has already cached your records will ask for it again is after the *current* TTL expires.  Now take the case where one nameserver is a forwarder for another (rare, but there are environments where it's
needed) and the one behind the forwarder could take up to 2 * TTL to
come ask for new information.

Can you explain that a little further? If my nameserver caches a record with TTL 86400, and someone asks for it again an hour later I hand them the record from my cache using TTL 82800 (not 86400). This is certainly what bind does,
if other caching nameservers do it differently then it's a bug IMHO.

No that's correct, but if you look at the descriptions originally given the posters were saying that as soon as the main nameserver is changed the changes show up at the nameservers that have cached the records. That's not true. Here's an example:

Let's say the original poster changed that record you are talking about above... your nameserver would continue to hand out the old record until the TTL expired.

Now let's say you're talking about a large company where they have implemented DNS forwarders or an internal and external environment where the internal DNS server forwards queries to a specific server or group of servers in their DMZ.

Now that far internal server will have its own cache also. So the TTL has to expire on the internal server, the machine in the DMZ and only THEN will it ever query the master again.

Of course, the way around this is to get the clients to go to a completely new name that never existed before -- then no one has it cached and they *must* come to the authoritative server(s).

I would be very surprised if it is different when DNS queries are being
forward from one DNS server to another. Or did you mean something else?

I was specifically speaking about the "forwarders" configuration in named.conf. It is used (rarely, but is used) by some large organizations for the purposes mentioned above.

So you're correct, in most cases it won't happen -- but there are people out there with some very deep DNS server cascading.

Nate Duehr, nate@natetech.com

Reply to: