DNS Negative Caching
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Fri Aug 28 21:15:19 UTC 2015
Negative-caching TTL and regular TTL have little to do with each other; it's not a reasonable assumption that one should stand in as a default for the other. I know analogies are frequently dangerous, but to me, that's kind of like saying that the amount of time that normally elapses between replacing one's automobile with a newer vehicle, can be safely assumed to be equal to the amount of time one could go without an automobile at all. The two things are related, of course (in the analogy, they're both about automobiles), but it would be foolish to assume that one time interval is the same as the other. One pertains to the *existence* of something, that needs to be periodically refreshed; the other refers to the duration of an *absence* of something.
As you pointed out (correctly), this isn't an issue which affects anything that goes "on the wire", e.g. master-slave replication via AXFR/IXFR, since, "on the wire" the TTL is always included with the RR. It's only an issue for how the zone files are managed on the master.
My opinion: named on the master should reject illegal zone files.
Note that this is a non-issue if Dynamic Update is being used to manage zones (since then named writes out the zone file), or if a commercial-grade DNS management system is the thing that's generating the zone files (since they should all be compliant to RFC 2308 by now; if not, sue the manufacturer for a product defect). It's perhaps only an issue for some homebrew zonefile-creation scripts that were written a long time ago, and where the administrators have been systematically ignoring the "no TTL specified; using SOA MINTTL instead" errors in their logs, every time named loads or reloads the zones.
- Kevin
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Matus UHLAR - fantomas
Sent: Friday, August 28, 2015 3:49 PM
To: bind-users at lists.isc.org
Subject: Re: DNS Negative Caching
On 28.08.15 17:32, Darcy Kevin (FCA) wrote:
>RFC 2308 said that the use of the last field of the SOA to set
>negative-caching TTL is "the new defined meaning of the SOA minimum
>field". So you can *call* it "minimum", but it is *actually* supposed
>to function as something else...
>
>Eventually I hope BIND will conform to the spirit of RFC 2308 and stop
>using the last field of the SOA to set the default TTL, as a "fallback"
>in scenarios where the file would otherwise be illegal (i.e. the
>first RR has no explicit TTL set, and there is no $TTL directive preceding it).
> RFC 2308 is so old, that if it were a person, it would be legal to buy
>cigarettes in some parts of the world. It's long past time for folks
>to get with the program.
what would you expect bind to do in such case, refuse the zone?
The "minimum" value is safe default in most cases.
Note that is only matters on masters, the XFER slaves see the ttl within each record...
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them _______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list