[dns-operations] More Aggressive prefetch for popular names
Mukund Sivaraman
muks at mukund.org
Sat Apr 6 16:21:43 UTC 2019
On Sat, Apr 06, 2019 at 10:39:51PM +0800, Davey宋 wrote:
> You are right in normal case. But name owners may want change their TTL
> under some events promptly, setting lager TTL in case of ddos attack,
> small TTL if they want their RR be freshed in urgent situation. But
> each changes need to wait previous TTL to timeout in the current DNS
> TTL context.
> If a normal TTL is one day or hours , urgent change to new A/AAAA, NS
> RR will not be accepted by remote cache server. A short TTL may be a
> option but name owner may face the hard choice to endure heave load for
> a rare urgent change. If they want a small load of traffic as well as a
> prompt changes if necessary there should be a push scheme like DNS
> notify or DOH server push.
> AFAIK, in real event the name owners need to call the ISP DNS operators
> to manually fresh their cache. ISP is willing to cooperate for popular
> names because they care about the users' experince (people will call in
> and complain during the TTL). If there is a widely accepted approach to
> notify them to fetch the changes , I think they are willing to hear.
> No one here share the same issue?
This has been so since before 1987. A consolation is that this behavior
of DNS as a loosely coupled distributed database is well known and
expected. Editors plan carefully for what may already be cached, and the
effects of a new edit. However, the point you're making is
understandable, as mistakes are made.
In the land of network filesystem protocols, clients are able to get a
lease on an open file and (a) use locally cached data (read previously),
and (b) cache written data locally, until the server notifies such a
client that its exclusive write access or shared read access is revoked.
Examples are oplocks in SMB/CIFS, and (I think) delegations in NFS. I
think Vixie mentioned this in a recent thread, that something like this
could be applied to DNS.
DNS is a little different because resolvers and authoritative
nameservers are usually not connected, and there are a variety of cases
to consider (spoofing, resolvers behind NAT, resource usage on
nameservers to maintain which clients to notify for what, transitivity
with forwarders, etc.). It should be possible to prepare a scheme that
works for DNS. It could not only help for misconfigurations, but also
availability issues by redefining the life of cached data.
Mukund
More information about the dns-operations
mailing list