[dns-operations] Who Ignores TTLs ?
olaf at NLnetLabs.nl
Wed Feb 23 09:03:15 UTC 2011
On Feb 21, 2011, at 5:22 PM, Roy Arends wrote:
> On Feb 17, 2011, at 2:01 AM, Simon Lyall wrote:
>> I keep seeing a persistent complaint that some DNS caching operators ignore TTLs or otherwise keep records for longer than the TTL would indicate.
>> I suspect this might be an urban legend since most DNS caching software doesn't even offer this as an option last time I checked.
>> Does anybody actually do this? Because it keep being brought up by some peopel as to why things like GSLB don't work.
> At Nominet, we see various forms of TTL ignorance, independent of load balancing via DNS
From the recursive nameserver perspective I can say what Unbound does with respect to honoring/ignoring TTLs. I do not think this is the behavior you are worried about, but it may serve as datapoint.
Small TTL values are honored as long as they are larger than the cache-min-ttl config parameter. If the TTLs are smaller then the cache-min-ttl is used as the TTL. Per default the value of that param is 0, which means that RRsets with a TTL==0 will be disgarded. (Even when the TTL is 0 some RRs stick around internally for a second in order to do keep them around for validation)
By default any TTL larger than 24hrs will be treated as being 24 hrs. The cache-max-ttl config parameter governs that behavior. RFC 2308 security considerations seem to allow for this.
We believe we explain the appropriate considerations in the unbound.conf(5) man pages.
Time to live maximum for RRsets and messages in the cache.
Default is 86400 seconds (1 day). If the maximum kicks in,
responses to clients still get decrementing TTLs based on the
original (larger) values. When the internal TTL expires, the
cache item has expired. Can be set lower to force the resolver
to query for data often, and not trust (very large) TTL values.
Time to live minimum for RRsets and messages in the cache.
Default is 0. If the the minimum kicks in, the data is cached
for longer than the domain owner intended, and thus less queries
are made to look up the data. Zero makes sure the data in the
cache is as the domain owner intended, higher values, especially
more than an hour or so, can lead to trouble as the data in the
cache does not match up with the actual data any more.
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2210 bytes
Desc: not available
More information about the dns-operations