DNS TTLs [was: help with BIND SRV]
On Fri, Oct 08, 2004 at 05:08:45AM -0600, Nate Duehr wrote:
> Juha-Matti Tapio wrote:
> >On Thu, Oct 07, 2004 at 08:23:31PM -0600, Nate Duehr wrote:
> >>Most people setting up round-robin DNS type setups for redundancy with
> >>scripts to change things for failover get bit by these things:
> >>- They don't understand that there might be multiple DNS servers between
> >>their top-level and the machine they're servicing (3X and 4X TTL)
> >RFC 1035 specifies in chapter 6.1.3. that requests served from a cache
> >should return a TTL which has been decremented by the amount of seconds
> >in cache, i.e. the TTL "counts down" in the cache.
> >Therefore I consider any caching nameservers that do not do this broken.
> >Are there a significant amount of such servers out there?
> >Though I agree on most of the other points.
> Ahh... it's a trap. Think about this.
> 1 - Regular DNS server hosting "something.com"
> 2 - ISP's caching nameserver
> 3 - Your company's nameserver
> 4 - A caching nameserver on your desktop machine
> Now... add in here that let's say your company AND your ISP intercept
> all port 53 traffic and proxy all DNS requests through both of their
> servers. Not super-common -- but there ARE organizations and ISP's out
> there that do this for whatever convoluted security or other reasons.
> Depending on how the proxying is set up, each server can 100% implement
> the RFC you mention and a change on server 1 to a record that's cached
> on your local desktop machine's nameserver will take 3X TTL to show up
> at your desktop!
Please provide a detailed description of how that is possible with
RFC-compliant servers and caches. I really can't imagine that.
AFAIK there is no other way for a record to have a remaining TTL of
value "X" other than being served exactly X seconds earlier by an
authorative nameserver. Any number of caching layers in between can't
change this, unless there are relativistic effects involved :-P Or do I
misunderstand the concept of TTL? (I.e TTL gets 'frozen' at some point.)
Please note that I'm not saying that it is impossible in real world. I
only claim that this is impossible with RFC-compliant servers and
Marcin Owsiany <firstname.lastname@example.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216