TLD nameservers that also cache?

Brad Knowles blk at
Thu Jul 6 14:57:27 UTC 2000


	We've run into a problem recently that has lead me to 
re-re-re-read Cricket's book (especially chapter 2.6), and to 
ruminate on the nature of the behaviour of resolvers and caching 

	What got this started is that we have discovered that (a.k.a., [] & []) are not only secondary nameservers 
for the ".be" ccTLD, but are also caching nameservers.

	Of course, when we make changes on our own local network (e.g., 
to move to a different IP address), we restart our own 
caching nameservers, so that our customers can see these changes as 
quickly as possible.  However, when the caching nameservers come back 
up, it is fairly likely that they will have their cache polluted by 
the old information that has been cached on one of these two machines.

	Well, what kind of solutions are possible?

	We have tried approaching the administrator for these machines, 
and quite simply he doesn't care.  There has been no amount of 
complaining or pressure we've been able to apply so far that seems to 
have any affect -- and our Director of Operations is on the Board of 
Directors for DNS.BE, the registrar for the ccTLD.

	We can turn down our TTLs on specific names that we know are 
going to be moving soon, but we can't afford to turn down the TTL to 
900 seconds across all the thousands of domains we host.  Even if we 
did, this wouldn't really solve the cache pollution problem -- it 
would just make it last for a shorter period of time, although it 
would cause a lot of other problems as well.

	We could designate as a bogusns, and simply not pay 
attention to any answers we get from it at all.  However, this would 
be extremely dangerous, as there is only one other nameserver 
advertised for, and Belnet runs the biggest Exchange in the 
country, one that we make very heavy use of.  They also provide 
connectivity for all of the educational institutions in the country, 
making them a non-profit ISP that is as large (or larger) than we 
are, and they've got a lot more support from government and other 
educational institutions.

	We could make our caching-only nameservers hidden secondaries for 
all our domains, but this re-introduces all the problems that we were 
trying to fix by splitting the authoritative and caching parts onto 
different servers.  In particular, this would give our customers a 
different view of the world than is had by people outside our 
network, and render us unable to certify that everything really is 
working to people outside of our network, without ourselves having 
access to accounts on other services.

	The only other solution I can think of is to change the behaviour 
of caching/recursive nameservers.  Instead of having it go all the 
way to the root nameservers and ask the question 
"", and following the referral, it should assume 
that the higher level nameservers are non-caching and reduce the 
query appropriately.  In this case, it should ask them "be/IN/NS", 
follow the referrals to the nameservers for ".be", then ask 
"" to one or more of them, and then and only then 
should it finally ask the question "".

	Changing the behaviour in this way would reduce the benefit of 
caching provided by higher level nameservers, but the root 
nameservers and the nameservers for the various TLDs shouldn't be 
doing caching anyway, so there's no real loss there.

	Obviously, there would be added complexity in the 
caching/recursive nameserver (you would want to be able to control 
the depth to which you modify the queries so as to avoid attempting 
to make use of caching at higher level nameservers).

	There would also be increased load on caching/recursive 
nameservers, as they would now have to do more work to construct 
proper queries of higher-level nameservers based on the information 
that they are trying to answer, as opposed to simply parroting the 
question they've been asked.

	But it seems to me that this solution would be more resistant to 
cache pollution problems, and I wonder if it wouldn't also address 
some of the issues that Dan Bernstein has raised in the past.

	Can anyone else think of any other solutions to this problem that 
we're having?  Well, other than knee-capping Marc Roger, that is?  ;-)

	Also, is there something fundamentally flawed in the way I'm 
thinking that perhaps caching/recursive nameservers should be 
working?  Are there other chapters I should go re-re-re-read again?

   These are my opinions -- not to be taken as official Skynet policy
Brad Knowles, <blk at>                || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49             || B-1140 Brussels                         || Belgium

More information about the bind-workers mailing list