Caching question

[Kevin Darcy]

Barry Margolin wrote:

> In article <20000629225805.16124.qmail at geekgrrl.org>,
>  <geekgrrl at geekgrrl.org> wrote:
> >This is kind of an odd question, but it's been on my mind.
> >
> >Let's say I have a primary server for paxumbrae.com, and a secondary
> >server. I also have a caching server that my LAN hits rather then my
> >primary/seconday. Let's say I am running BIND 8.2.2P5 and the zone,
> >paxumbrae.com, gets rejected for 'CNAME and other data' errors on the
> >primary server.
> >
> >I know the secondary server will continue to answer until it's Expire
> >time is met for the zone, continuously retrying to transfer it.
> >
> >How about the caching server? After the zone's ttl, will it immediately
> >drop any records it has and cease to answer for anything in the zone?
>
> TTLs apply individual records, not zones, so different records will time
> out at different times depending on when they were cached (on the primary
> server you can specify a default TTL for the entire zone file, but it's
> just an abbreviation for putting that TTL on every record, and is invisible
> to the protocol).
>
> When a record times out on the caching server, it will be dropped, and the
> next time someone asks for that record the caching server will ask one of
> the authoritative servers.  If it asks the secondary server and the Expire
> time hasn't run out yet, it will cache the response and everything will be
> fine.
>
> If it asks the primary server it will get a non-authoritative response, and
> according to a message Mark Andrews posted a couple of days ago this will
> be ignored; I think it will then try the secondary server and the result
> will be as I described above.  If the zone has expired on the secondary
> server, it will also return a non-authoritative response; in that case,
> none of the servers are valid and it won't be able to answer the query.
>
> I'm not quite sure that I believe what Mark wrote, though.  On many
> occasions we've had domains expire on our secondary servers.  If all the
> servers are non-authoritative, and BIND ignores non-authoritative
> responses, I would expect a few of them to have called us reporting that
> lots of people were unable to send them mail, get to their web site, etc.
> Sometimes the servers had been lame for weeks or months, but they didn't
> have any idea that there was a problem until we started scanning our logs
> looking for expired zone messages.  While I know that some of our customers
> are pretty clueless, there have been enough of these situations that I'd
> expect at least one or two tickets to have been opened by the customers
> before we started doing it proactively.

I just tested, and it appears that named still accepts the answer even if aa is
unset. In fact, it doesn't even log this as a lame server event, as long as the
Authority section looks OK.


- Kevin