DNS TTLs [was: help with BIND SRV]

To: debian-isp@lists.debian.org
Subject: DNS TTLs [was: help with BIND SRV]
From: Marcin Owsiany <porridge@debian.org>
Date: Fri, 8 Oct 2004 14:25:40 +0200
Message-id: <[🔎] 20041008122540.GA23516@melina11.ds11.agh.edu.pl>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 4166753D.7070904@natetech.com>
References: <[🔎] 20041005213141.GE13485@fargo.hipdesign.com> <[🔎] 90130000.1097141122@hick.kon.de> <[🔎] 20041007172033.GT24620@fargo.hipdesign.com> <[🔎] 200410072104.58055.fraser@georgetown.wehave.net> <[🔎] 4165FA23.9060006@natetech.com> <[🔎] 20041008062911.GA31445@verkkotelakka.net> <[🔎] 4166753D.7070904@natetech.com>

On Fri, Oct 08, 2004 at 05:08:45AM -0600, Nate Duehr wrote:
> Juha-Matti Tapio wrote:
> >On Thu, Oct 07, 2004 at 08:23:31PM -0600, Nate Duehr wrote:
> >
> >>Most people setting up round-robin DNS type setups for redundancy with 
> >>scripts to change things for failover get bit by these things:
> >
> >[...] 
> >
> >>- They don't understand that there might be multiple DNS servers between 
> >>their top-level and the machine they're servicing (3X and 4X TTL)
> >
> >
> >RFC 1035 specifies in chapter 6.1.3. that requests served from a cache
> >should return a TTL which has been decremented by the amount of seconds
> >in cache, i.e. the TTL "counts down" in the cache.
> >
> >Therefore I consider any caching nameservers that do not do this broken.
> >Are there a significant amount of such servers out there?
> >
> >Though I agree on most of the other points.
> 
> 
> Ahh... it's a trap.  Think about this.
> 
> 1 - Regular DNS server hosting "something.com"
> 2 - ISP's caching nameserver
> 3 - Your company's nameserver
> 4 - A caching nameserver on your desktop machine
> 
> Now... add in here that let's say your company AND your ISP intercept 
> all port 53 traffic and proxy all DNS requests through both of their 
> servers.  Not super-common -- but there ARE organizations and ISP's out 
> there that do this for whatever convoluted security or other reasons.
> 
> Depending on how the proxying is set up, each server can 100% implement 
> the RFC you mention and a change on server 1 to a record that's cached 
> on your local desktop machine's nameserver will take 3X TTL to show up 
> at your desktop!

Please provide a detailed description of how that is possible with
RFC-compliant servers and caches. I really can't imagine that.

AFAIK there is no other way for a record to have a remaining TTL of
value "X" other than being served exactly X seconds earlier by an
authorative nameserver. Any number of caching layers in between can't
change this, unless there are relativistic effects involved :-P Or do I
misunderstand the concept of TTL? (I.e TTL gets 'frozen' at some point.)

Please note that I'm not saying that it is impossible in real world. I
only claim that this is impossible with RFC-compliant servers and
caches.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

References:
- help with BIND SRV
  - From: August MacBeth <August@HiPDesign.com>
- Re: help with BIND SRV
  - From: Marcel Hicking <m.hicking@komplex.net>
- Re: help with BIND SRV
  - From: August MacBeth <August@HiPDesign.com>
- Re: help with BIND SRV
  - From: Fraser Campbell <fraser@georgetown.wehave.net>
- Re: help with BIND SRV
  - From: Nate Duehr <nate@natetech.com>
- Re: help with BIND SRV
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
- Re: help with BIND SRV
  - From: Nate Duehr <nate@natetech.com>

Prev by Date: Re: help with BIND SRV
Next by Date: Re: help with BIND SRV
Previous by thread: Re: help with BIND SRV
Next by thread: Re: help with BIND SRV
Index(es):
- Date
- Thread