[dns-operations] Paranoid mode for resolvers

Olaf Kolkman olaf at NLnetLabs.nl
Mon Sep 5 13:57:25 UTC 2011

On Sep 5, 2011, at 2:00 PM, Mike Jones wrote:

> Storing the original TTL that the delegation was received as and
> merely using that as an upper bound (so a 24 hour delegation received
> 18 hours ago and you return a TTL of 48 hours, it is capped at 24
> hours) would probably work fine, but would still mean if i can keep
> you updating your NS records before they expire you'll still never
> check the parents. I can also point to for example the tk ccTLD as an
> example of why using the delegated TTL as an upper bound might not be
> ideal, they use a 5 minute TTL on "free domains" (even though they
> only update their servers every hour or so?).

This is not quite how Unbound deals with NS set expiry.

As soon as an NS RRset expires from the cache Unbound will go back to the parent and the resolution chain is picked up from there.

If during the resolution process new child NS RRsets are found, then those will be cached in place of the parental NS RRset, but Unbound does not stick on those and will thus expire after a maximum of 24 hours (in the default config) and go back to the parent.



Olaf M. Kolkman                        NLnet Labs


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2210 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110905/6712285c/attachment.bin>

More information about the dns-operations mailing list