[dns-operations] More Aggressive prefetch for popular names

Mukund Sivaraman muks at mukund.org
Mon Apr 8 16:48:01 UTC 2019 

On Mon, Apr 08, 2019 at 01:21:28PM +0100, Tony Finch wrote:
> Mukund Sivaraman <muks at mukund.org> wrote:
> > On Mon, Apr 08, 2019 at 12:08:57PM +0100, Tony Finch wrote:
> > > Davey Song <songlinjian at gmail.com> wrote:
> > > >
> > > > The recent event happened last week was a name of CCTV VOD services, people
> > > > call in complaining they can not open the video. It was found that in Gang
> > > > Zhou City, the DNS of a local broadband service provider served stale data
> > > > for that name for hours.
> > >
> > > It sounds to me like the problem was that the resolver had been configured
> > > with a large minimum TTL, which should be fixed by not misconfiguring the
> > > resolver in the first place.
> >
> > The default in the case of BIND is 1 week for postive answers.
> 
> That's the serve-stale ttl not the default minimum ttl (which is zero). I
> don't think the resolver was serving stale answers because it was using
> serve-stale: if it was using serve-stale it should only serve stale
> answers if the upstream is unreachable, in which case flushing the cache
> will just change the kind of failure from connecting to the wrong VOD
> server to being unable to resolve the server at all.

Sorry, I misread the thread. My reply was for the out-of-sync cache -
what was discussed earlier and the email thread with Davey privately -
it is not for this Gang Zhou City case, where the resolver should not be
messing about with TTLs.

BIND has a max-cache-ttl setting (and another for negative answers) that
defaults to 1 week. That's the maximum life of a cached entry before it
becomes stale.

If a zone editor sets > 1 week as the TTL on an RR set, it means that it
can live up to 1 week in cache (for BIND). The TTL field is a 32-bit
field, and except if the MSB bit is set, large values are possible
unless the resolver caps them somehow.

1 week is a reasonable TTL for some use cases, so one can't say that the
limit is too large. However, it may be too long for e.g., a SMB
ecommerce website that has served the wrong address with a very long
TTL. It's human nature to make mistakes; a person affected by it would
like a way to fix it immediately.

		Mukund

More information about the dns-operations mailing list