zero SOA TTL - still best practice?

Chris Thompson cet1 at cam.ac.uk
Thu Aug 26 18:58:35 UTC 2010


On Aug 26 2010, Kevin Oberman wrote:

[...]
>> The SOA record should have a reasonable TTL, and the "minimum" field in
>> the SOA should also be set to a reasonable value, no larger than the SOA
>> TTL.  If you don't change your zone data often, then you should let
>> people cache your negative answers for a useful amount of time (hours,
>> days).
>
>I really question the desirability of a negative cache TTL of days. If
>something is not in DNS when it is first queried for, it will be
>negatively cached and will stay that way for a very long time. It is not
>unheard of for some information on a new web page to be leaked (at least
>internally) prior to the insertion of the record into DNS. An
>excessively long negative cache time will keep it unavailable for fat
>too long.

Yes, one needs to take into account whether the zone will remain
static, and whether one will have advance notice of a change. But
there are zones whose contents truly do not change for years on
end, and I have no hesitation in using an SOA.minimum value of
24 hours for them. Even though ...

>I remember discussions in the DNSEXT WG back when negative caching was
>fist implemented as to whether the negative cache time should be limited
>and, if so, to how many MINUTES.

Hence BIND's default max-ncache-ttl of 3 hours.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list