TTL Question

Mike Diggins diggins at mcmaster.ca
Wed Oct 17 00:18:33 UTC 2007 

On Wed, 17 Oct 2007, Mark Andrews wrote:

>
>>
>> On Wed, 17 Oct 2007, Mark Andrews wrote:
>>
>>>
>>>>
>>>> What dictates how long another name server caches the authoritative name
>>>> server for a domain? I was under the impression it was the default
>>>> time-to-live, but I have a situation where an authoritative name server
>>>> was removed from service several days ago, yet queries to it continue. Dig
>>>> is correctly reporting the new authoritative name servers for the domain
>>>> in question. How common is it for DNS servers to ignore the ttl?
>>>
>>> 	Because you failed to update *ALL* the servers for the zone to
>>> 	have the new content.  Every time a cache queries the old servers
>>> 	it re-learns the old NS RRset for the zone.
>>>
>>> 	Mark
>>>
>> Mark,
>>
>> Do you know something I don't? Our registrar (Canhost) was contacted to
>> have the DNS server removed. When I check cira.ca, that appears to have
>> been done (it correctly lists our nameservers). Did I miss a step?
>>
>> -Mike
>
> 	NS records are in THREE places.
>
> 		The parent zone.
> 		The new (current) servers.
> 		The old servers.
>
> 	Not changing the old servers to have the new NS RRset gives
> 	exactly these symptoms.
>
> 	Nameservers cache answers AND authority AND additionsal
> 	sections.  If you fail to update the old server to have the
> 	new content then everytime the nameserver fetches data from
> 	the zone it re-learns the NS RRset via the authority section.
>
> 	[The same thing can happen also with the addresses for the
> 	nameservers.]
>
> 	When you change nameservers you need to ensure ALL servers
> 	are giving CONSISTANT answers. Both old, new and parent.
> 	Once ALL the records involved in the delegation (NS/A/AAAA)
> 	with old information have timed out you can then shut down
> 	the old servers.
>
> 	Mark
>
> ; <<>> DiG 9.3.4-P1 <<>> a McMaster.CA @baldric.cis.McMaster.CA +norec
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43303
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;McMaster.CA.			IN	A
>
> ;; ANSWER SECTION:
> McMaster.CA.		60	IN	A	130.113.64.65
>
> ;; AUTHORITY SECTION:
> McMaster.CA.		3600	IN	NS	blackadder.CIS.McMaster.CA.
> McMaster.CA.		3600	IN	NS	baldric.CIS.McMaster.CA.
>
> ;; ADDITIONAL SECTION:
> baldric.CIS.McMaster.CA. 3600	IN	A	130.113.64.1
> blackadder.CIS.McMaster.CA. 3600 IN	A	130.113.128.1
>
> ;; Query time: 243 msec
> ;; SERVER: 130.113.64.1#53(130.113.64.1)
> ;; WHEN: Wed Oct 17 09:22:08 2007
> ;; MSG SIZE  rcvd: 128
>
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


Mark, thanks. The 'dig' output above is ALL correct and those are our 
valid name servers.

Let me explain a bit more. Two new external name servers were added via 
our Registrar during - let's call it an experiment gone bad - that 
immediately caused problems, our Registrar was contacted and they were 
removed (albeit a day later due to an oversight on their part). Our 
original name servers above are configured exactly as they were.

Since then several sites have reported having a problem sending us mail. 
The error that I've seen in the bounce reports is something to the affect 
"Delivery expired (message too old) 'no valid ip addresses'". It's only 
affecting a few sites and I don't have enough information from them to 
know for sure that it's related, but based on the timing, it must be. 
Anyway, it's been about 4 days since the errant records were removed, and 
we are still getting complaints. I'm assuming these sites have the errant 
Name Servers cached and are not letting go, hence my question.


-Mike

More information about the bind-users mailing list