[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DNS TTLs [was: help with BIND SRV]

On Fri, Oct 08, 2004 at 05:08:45AM -0600, Nate Duehr wrote:
> Juha-Matti Tapio wrote:
> >On Thu, Oct 07, 2004 at 08:23:31PM -0600, Nate Duehr wrote:
> >
> >>Most people setting up round-robin DNS type setups for redundancy with 
> >>scripts to change things for failover get bit by these things:
> >
> >[...] 
> >
> >>- They don't understand that there might be multiple DNS servers between 
> >>their top-level and the machine they're servicing (3X and 4X TTL)
> >
> >
> >RFC 1035 specifies in chapter 6.1.3. that requests served from a cache
> >should return a TTL which has been decremented by the amount of seconds
> >in cache, i.e. the TTL "counts down" in the cache.
> >
> >Therefore I consider any caching nameservers that do not do this broken.
> >Are there a significant amount of such servers out there?
> >
> >Though I agree on most of the other points.
> Ahh... it's a trap.  Think about this.
> 1 - Regular DNS server hosting "something.com"
> 2 - ISP's caching nameserver
> 3 - Your company's nameserver
> 4 - A caching nameserver on your desktop machine
> Now... add in here that let's say your company AND your ISP intercept 
> all port 53 traffic and proxy all DNS requests through both of their 
> servers.  Not super-common -- but there ARE organizations and ISP's out 
> there that do this for whatever convoluted security or other reasons.
> Depending on how the proxying is set up, each server can 100% implement 
> the RFC you mention and a change on server 1 to a record that's cached 
> on your local desktop machine's nameserver will take 3X TTL to show up 
> at your desktop!

Please provide a detailed description of how that is possible with
RFC-compliant servers and caches. I really can't imagine that.

AFAIK there is no other way for a record to have a remaining TTL of
value "X" other than being served exactly X seconds earlier by an
authorative nameserver. Any number of caching layers in between can't
change this, unless there are relativistic effects involved :-P Or do I
misunderstand the concept of TTL? (I.e TTL gets 'frozen' at some point.)

Please note that I'm not saying that it is impossible in real world. I
only claim that this is impossible with RFC-compliant servers and

Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to: