[dns-operations] Who Ignores TTLs ?

Olaf Kolkman olaf at NLnetLabs.nl
Wed Feb 23 09:03:15 UTC 2011

On Feb 21, 2011, at 5:22 PM, Roy Arends wrote:

> On Feb 17, 2011, at 2:01 AM, Simon Lyall wrote:
>> I keep seeing a persistent complaint that some DNS caching operators ignore TTLs or otherwise keep records for longer than the TTL would indicate.
>> I suspect this might be an urban legend since most DNS caching software doesn't even offer this as an option last time I checked.
>> Does anybody actually do this? Because it keep being brought up by some peopel as to why things like GSLB don't work.
> At Nominet, we see various forms of TTL ignorance, independent of load balancing via DNS 

From the recursive nameserver perspective I can say what Unbound does with respect to honoring/ignoring TTLs.  I do not think this is the behavior you are worried about, but it may serve as datapoint.

Small TTL values are honored as long as they are larger than the cache-min-ttl config parameter. If the TTLs are smaller then the cache-min-ttl is used as the TTL. Per default the value of that param is 0, which means that RRsets with a TTL==0 will be disgarded. (Even when the TTL is 0 some RRs stick around internally for a second in order to do keep them around for validation)

By default any TTL larger than 24hrs will be treated as being 24 hrs. The  cache-max-ttl config parameter governs that behavior. RFC 2308 security considerations seem to allow for this.

We believe we explain the appropriate considerations in the unbound.conf(5) man pages.

cache-max-ttl: <seconds>

              Time  to  live  maximum  for  RRsets  and messages in the cache.
              Default is 86400 seconds (1  day).  If  the  maximum  kicks  in,
              responses  to  clients  still get decrementing TTLs based on the
              original (larger) values.  When the internal  TTL  expires,  the
              cache  item has expired.  Can be set lower to force the resolver
              to query for data often, and not trust (very large) TTL  values.

cache-min-ttl: <seconds>

              Time  to  live  minimum  for  RRsets  and messages in the cache.
              Default is 0.  If the the minimum kicks in, the data  is  cached
              for longer than the domain owner intended, and thus less queries
              are made to look up the data.  Zero makes sure the data  in  the
              cache is as the domain owner intended, higher values, especially
              more than an hour or so, can lead to trouble as the data in  the
              cache does not match up with the actual data any more.


Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2210 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110223/512871f1/attachment.bin>

More information about the dns-operations mailing list