[dns-operations] Delegation inconsistency

John Kristoff jtk at ultradns.net
Wed Apr 26 18:09:22 UTC 2006 

I had initiated a question regarding TTL consistency on the dnsop list:

  <http://darkwing.uoregon.edu/~llynch/dnsop/msg03687.html>

I had a brief follow up discussion with Paul offline and he asked me
to write up and bring the discussion here.

In my dnsop list post I had shown a non-authoritative answer from the
TLD for the NS RRset for king.com.  The authoritative answer from either
name server in the set differs from the parent only in the TTL on the
NS RRs.

It is understood that the child has the authoritative answer and from
RFC 2181, section 5.4 it says this about the TTL:

  Note that if a server receives an answer containing an RRSet that is  identical to that in its cache, with the possible exception of the  TTL value, it may, optionally, update the TTL in its cache with the  TTL of the received answer.  It should do this if the received answer  would be considered more authoritative (as discussed in the next  section) than the previously cached answer.

I was curious if in the strictest sense whether differing TTLs between
the parent and child constitute an error.  The only discussion I found
that seemed to indicate this might be a real problem was at the top of
this page:

  <http://lancelot.cs.ucla.edu/dns/zones/spider/errors.html>

However, according to all the responses on the dnsop list and in my
offline discussion with Paul, while the parent may be wrong it is of
no practical consequence generally and in fact it is generally not
something that can be changed by the delegated zone admins.  However,
and someone please clear this up for me if I still have it wrong, a
rogue or uncooperative authoritative server can potentially cause
some trouble by handing out an authoritative answer with long TTLs on
the NS RRs, preventing changes to the NS RRset from taking effect
elsewhere for some period of time.

Paul also indicated that "if it's inside the domain who is using it
for a nameserver, then its ttl really should be as long as the delegated
domain's (child) NS RRset or else there's a chance an iterator will do
the wrong thing (if it's BIND4) or just go slow or even flood somebody
(maybe you, probably the roots) with repeated queries."

The second part of my question was regarding the different TTLS on
the A RRs in the additional section.  It is clear that these are
separate RRsets and I could find no claim of potential problems (other
than that there may occasionally be additional fetching required when
the record with the lower TTL expires).

John

More information about the dns-operations mailing list