change response cache ttl (--enable-cache-ttl)
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Fri Aug 5 00:03:16 UTC 2016
That's only a problem if the clients are constantly looking up the name, right? If they're looking it up only _occasionally_, with some degree of entropy, then the query load gets spread out.
So, in those cases, implement something on the client side that pre-expires the cache entry with some degree of randomness factored in. Pre-expiring cache entries is entirely within the standards and the original concept of how DNS response caching works (since, after all, dumping one's cache can't be prevented if the client restarts or reboots). Sure, pre-expiration may result in an overall increase in query traffic, but it smooths out the spikes to the intermediate resolvers, which is what we're worried about here. In time, the data owners will catch on that their cache entries are being pre-expired; if they care about that, they'll bump up the TTLs to compensate, eventually we reach a point of equilibrium.
From: Mark Andrews [mailto:marka at isc.org]
Sent: Thursday, August 04, 2016 7:47 PM
To: Darcy Kevin (FCA)
Cc: bind-users at lists.isc.org
Subject: Re: change response cache ttl (--enable-cache-ttl)
In message <de89e87d93dc4c7dad81bcc0ddae343d at mxph4chrw.fgremc.it>, "Darcy Kevin (FCA)" writes:
> "many client have caused a burst DNS traffic" is not much of a problem
> statement, honestly.
> What does this patch add, of value, that isn't already covered by
> If you're trying to allow the operators of intermediate resolvers to
> override the intentions of the data owner, by enforcing a *minimum*
> TTL, then I have to say that's a really bad idea. The data owner sets
> their TTL for a reason, and if it's low, it's probably because the
> infrastructure is very dynamic. Forcing data to be kept after the data
> owners' TTL, risks keeping "stale" data in the client, and this will
> likely have a negative impact on the user experience. It might even
> have security implications, because maybe that resource (e.g. IP
> address) isn't trusted any more. You don't want clients connecting to
> an untrusted resource, do you? Who would have legal or criminal
> liability, if that happened?
> - Kevin
The problem is when you have a million clients each with a local cache they all expire the record simultaniously and if it is a popular address then you get a million DNS queries in the second after the ttl has expired as all those local caches refresh.
This is a attempt to distribute the query load from those caches uniformly rather than have a peak load every ttl seconds.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users