[dns-operations] How much trouble am in in on May 5?

Doug Barton dougb at dougbarton.us
Thu May 6 06:54:45 UTC 2010


On 05/05/10 23:30, Jaap Akkerhuis wrote:
> Doug,
>     
> If I understand you correctly,
> 
>     The root hints file has the following:
>     .                        3600000  IN  NS    A.ROOT-SERVERS.NET.
>     A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
>     A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
>     
>     But 'dig @<a-m>.root-servers.net . ns produces the following for all but
>     H, K, and L:
>     ;; ANSWER SECTION:
>     .                       518400  IN      NS      a.root-servers.net.
>     ...
>     ;; ADDITIONAL SECTION:
>     a.root-servers.net.     3600000 IN      A       198.41.0.4
> 
> ... you point to the diffrence in TTLs.

Yes, I am pointing out that what's returned by a-g,i,j,m is not what's
in the root zone. (And, as a side effect pointing out that the A record
TTLs are at least in some cases different from the NS record TTLs, and
also that 41+ days is a silly TTL in this situation ... let's see, am I
forgetting anything?)

> There is nothing new in this. This is the difference between NSD &
> BIND.  It has been pointed out various root operators in the past.

I didn't say it was new, I said it was interesting. :)

> If I remember correctly, NSD takes the TTL for root-servers.net and
> not from the glue.

I don't think so. All of the roots return:
a.root-servers.net.	3600000	IN	A	198.41.0.4
for a direct query for the A record. So the BIND servers are either
getting the 3600000000000000 number from the root.hints file, OR the
root-servers.net zone (more likely), and returning it in the ADDITIONAL
section instead of the TTL value from the glue record that's in the root
zone itself. Arguably (and I really don't feel like digging through
chapter and verse right now) BIND is actually being more correct here.

... and of course this circles back to the original question, which is
why aren't the TTL values for the address records consistent in the root
zone and in the root-servers.net zone, and why aren't they both
consistent with the TTL values of the NS records? Since you mentioned
the root-servers.net zone, let's poke at it a bit:

Checking zone NS set against parent

Error: parent has:
	a.root-servers.net	f.root-servers.net
	j.root-servers.net	k.root-servers.net

	But root-servers.net zone has:
	a.root-servers.net	b.root-servers.net
	c.root-servers.net	d.root-servers.net
	e.root-servers.net	f.root-servers.net
	g.root-servers.net	h.root-servers.net
	i.root-servers.net	j.root-servers.net
	k.root-servers.net	l.root-servers.net
	m.root-servers.net

Leaving aside for the moment the argument of _should_ all the root
servers be authoritative for the root-servers.net zone, I think that
given that they all _are_ authoritative for it (and they are all
returning aa, I checked) why _wouldn't_ NSD return the "proper" TTL
value for the glue? And of course this all circles back to my previous
question, what possible value could 41+day TTLs have for the A records
given that the . NS records are only 6 days?


Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/




More information about the dns-operations mailing list