[dns-operations] TTL=0

Greg Choules gregchoules at googlemail.com
Sat Jan 19 07:37:40 UTC 2019


Hi Andrew.
Thanks for the pointer, but no. Section 8 clarifies the lower and upper
bounds for TTL and that bit 32 MUST be 0.
I know that the minimum value possible for TTL is zero. I can happily
configure this in my authoritative server and that TTL will be preserved
through a recursive server (which will not cache the answer) all the way
back to the client.

My question is about the behaviour of a recursive server that already has a
record in its cache with a non-zero TTL, which it is counting down.
If it receives a query for that record at the instant its internal logic
would turn TTL=1 to TTL=0, should that server answer with TTL=0 or not?

My personal thoughts are it SHOULD answer with TTL=0 because:
a) 1035 and 2181 are very clear that 0 is a valid value
b) a precedent has already been set for recursive servers sending 0 to
clients, if that's what the auth server gave it.

NOTE: BIND used to answer from cache with 0, many years ago. Now it
doesn't. This is just one example of how a popular DNS engine behaves. I'm
not saying ISC are wrong. I just don't know.

The reason I am asking this question here is not just for academic
interest. We have a very real problem in our network at the moment that
hinges on who is right. I consider you all to be 'expert witnesses' whose
testimony I can potentially use to wave in front of a vendor and prove they
are wrong. Hence why I am being really picky in wanting a definitive
answer, if there is one.


thanks, Greg

On Sat, 19 Jan 2019 at 00:36, Andrew Sullivan <ajs at anvilwalrusden.com>
wrote:

> Section 8?
> --
> Andrew Sullivan
> Please excuse my clumbsy thums.
>
> On January 18, 2019 19:05:56 Greg Choules <gregchoules at googlemail.com>
> wrote:
>
>> Hi Andrew.
>> Which bit of 2181?
>>
>> On Fri, 18 Jan 2019 at 23:55, Andrew Sullivan <ajs at anvilwalrusden.com>
>> wrote:
>>
>>> Seems to me RFC2181 already answered this years ago.
>>> --
>>> Andrew Sullivan
>>> Please excuse my clumbsy thums.
>>>
>>> On January 18, 2019 17:21:40 Greg Choules <gregchoules at googlemail.com>
>>> wrote:
>>>
>>>> Hi Fred.
>>>> No, I am not talking about dscacheutil or any particular client
>>>> software. I just want to know whether, in the opinion of the world's DNS
>>>> professionals, recursive servers should or shouldn't ever send answers from
>>>> cache with TTL=0.
>>>>
>>>> cheers, Greg
>>>>
>>>> On Thu, 17 Jan 2019 at 23:15, m3047 <m3047 at m3047.net> wrote:
>>>>
>>>>> Who cares about the RFC? In practice, SOME caching resolvers (and
>>>>> that's
>>>>> being charitable) WILL answer with TTL=0. I've had to live with
>>>>> PFSense
>>>>> deployments which did this.
>>>>>
>>>>> Which in turn leads to things like (for Mac users):
>>>>>
>>>>>    dscacheutil -flushcache
>>>>>
>>>>> Is that what you're talking about?
>>>>>
>>>>> On Thu, 17 Jan 2019, Greg Choules wrote:
>>>>> > [...]
>>>>> >
>>>>> > Is there ever a case, for cached answers, that the recursive server
>>>>> would
>>>>> > answer the client with TTL=0? Or would that be illegal? RFC1034
>>>>> states that
>>>>> > records with TTL=0 "should not be cached". Note "should" and not
>>>>> "must".
>>>>>
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-operations mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190119/a29739e4/attachment.html>


More information about the dns-operations mailing list