[dns-operations] caches only resetting TTL? was Re: Where to find "DNS resolution path corruption"?
gilles.massen at restena.lu
Tue Feb 26 13:07:20 UTC 2008
On Tuesday 26 February 2008 13:39, Antoin Verschuren wrote:
> So I'm curious where this behaviour originates from, so I have a stick to
> beat the ISP's to delete old authoritative zones. Is it broken cashing
> resolvers, ISP's caching longer than the zone's TTL, or is it in algorithms
> resolvers use to update their cache ?
I was able to reproduce this on a resolver which is running dnscache, as I was
> Supose there is this situation for example.com.
> I first query IN MX example.com.
> Somewhere in the resolution path, I will get the nameservers for
> example.com and the MX answers and cache them:
> example.com. 86400 IN MX 50 mail.example.com.
> example.com. 86400 IN NS ns1.example.com.
> Now when I do a query for f.e. IN A bla.example.com a little bit later,
> will it use the cached nameserver ns1.example.com since it's in the cache
> and has not expired yet, and will that record get updated in the proces of
> querying bla.example.com?
From what I saw: dnscache will update the TTL for ns1.example.com to its
original value. As a result, as long as there is one query per TTL, it will
never notice a change in the delegation.
bind9 also updates the TTL for ns1.example.com, but only to min( ttl for bla,
ttl for ns1), so that ns1.example.com will expire eventually.
> So will a cache verify ns1.example.com while it
> is using it, and update that record with a fresh one ? If that is so, then
> when I do a new query for the MX record when it has expired will update
> against false data again, and again, and again, untill no queries for the
> domain are asked to that resolver during a complete TTL.
Yes. So the more popular your records are, the more exposed you are to this.
But I don't know whether this behaviour is RFC compliant...haven't figured it
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
tel: (+352) 424409
fax: (+352) 422473
More information about the dns-operations