DNS Root Zone timeout value question.

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 28 23:06:03 UTC 1999


Client resolvers typically don't use NS records to find a nameserver; they
have a list of nameservers to which they will send "recursive" queries and
then those nameservers do the grunt work of resolving the query and
returning the answer to the client. NS records are primarily intended for
the benefit of other nameservers, not clients.

Now, if ns1 dies, how long will it take for other nameservers to start
forwarding queries to ns2? If ns2 is regularly answering queries faster
than ns1, then it may take a while before other BIND-based nameservers
even notice that ns1 is down! Why? Because BIND keeps track of how quickly
each nameserver that it uses responds to queries, and will prefer faster
nameservers over slower ones. Even if a BIND-based nameserver is
encountering both of these nameservers for the first time, there's only a
50-50 chance that it will try ns1 first (assuming that the NS list is
round-robin'ed), and when the query times out, it'll mark that nameserver
as "very slow", get the data from ns2, and won't try ns1 again for a while
(by which time hopefully it's back up!). All of this happens transparently
to the client and usually doesn't take more than a second or two even in
the worst case, assuming only one nameserver failed and the remaining
nameserver was capable of handling the increased query load. I don't know
any way of tuning this behavior, but then I've never known anyone to be
unhappy with the defaults anyway, so who needs tunability?

By the way, note that this is a good argument for having a decent number
of nameservers defined for your domains beyond just the 2 minimum that the
NIC requires; so that the failure of a single nameserver doesn't slow
queries down too much or overload the remaining nameserver. Just don't
define so many that you overflow UDP packets listing all of them! On our
Intranet, I have at least 5 nameservers, in at least 4 different data
centers, defined for every zone I control.


- Kevin

michaelreed647 at my-deja.com wrote:

> Does anyone know the answer to this, and if so, can you please
> email me at mike at pec.net:
>
> Let's say you served the zone for a ccTLD and your internic rec showed:
>
> ns1.whatevercctld.net
> ns2.whatevercctld.net
>
> If ns1 was completely dead temporarily, how long would it take the
> resolver or client to query ns2 for the proper authorative NS for a
> given domain?  And, what controls this (timeout?) value?
>
> TIA,
> Mike.
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.





More information about the bind-users mailing list