TLD nameservers that also cache?
blk at skynet.be
Thu Jul 6 14:57:27 UTC 2000
We've run into a problem recently that has lead me to
re-re-re-read Cricket's book (especially chapter 2.6), and to
ruminate on the nature of the behaviour of resolvers and caching
What got this started is that we have discovered that
ns.belnet.be (a.k.a., vivaldi.belnet.be [220.127.116.11] &
holem.belnet.be [18.104.22.168]) are not only secondary nameservers
for the ".be" ccTLD, but are also caching nameservers.
Of course, when we make changes on our own local network (e.g.,
to move www.skynet.be to a different IP address), we restart our own
caching nameservers, so that our customers can see these changes as
quickly as possible. However, when the caching nameservers come back
up, it is fairly likely that they will have their cache polluted by
the old information that has been cached on one of these two machines.
Well, what kind of solutions are possible?
We have tried approaching the administrator for these machines,
and quite simply he doesn't care. There has been no amount of
complaining or pressure we've been able to apply so far that seems to
have any affect -- and our Director of Operations is on the Board of
Directors for DNS.BE, the registrar for the ccTLD.
We can turn down our TTLs on specific names that we know are
going to be moving soon, but we can't afford to turn down the TTL to
900 seconds across all the thousands of domains we host. Even if we
did, this wouldn't really solve the cache pollution problem -- it
would just make it last for a shorter period of time, although it
would cause a lot of other problems as well.
We could designate ns.belnet.be as a bogusns, and simply not pay
attention to any answers we get from it at all. However, this would
be extremely dangerous, as there is only one other nameserver
advertised for belnet.be, and Belnet runs the biggest Exchange in the
country, one that we make very heavy use of. They also provide
connectivity for all of the educational institutions in the country,
making them a non-profit ISP that is as large (or larger) than we
are, and they've got a lot more support from government and other
We could make our caching-only nameservers hidden secondaries for
all our domains, but this re-introduces all the problems that we were
trying to fix by splitting the authoritative and caching parts onto
different servers. In particular, this would give our customers a
different view of the world than is had by people outside our
network, and render us unable to certify that everything really is
working to people outside of our network, without ourselves having
access to accounts on other services.
The only other solution I can think of is to change the behaviour
of caching/recursive nameservers. Instead of having it go all the
way to the root nameservers and ask the question
"www.skynet.be/IN/A", and following the referral, it should assume
that the higher level nameservers are non-caching and reduce the
query appropriately. In this case, it should ask them "be/IN/NS",
follow the referrals to the nameservers for ".be", then ask
"skynet.be/IN/NS" to one or more of them, and then and only then
should it finally ask the question "www.skynet.be/IN/A".
Changing the behaviour in this way would reduce the benefit of
caching provided by higher level nameservers, but the root
nameservers and the nameservers for the various TLDs shouldn't be
doing caching anyway, so there's no real loss there.
Obviously, there would be added complexity in the
caching/recursive nameserver (you would want to be able to control
the depth to which you modify the queries so as to avoid attempting
to make use of caching at higher level nameservers).
There would also be increased load on caching/recursive
nameservers, as they would now have to do more work to construct
proper queries of higher-level nameservers based on the information
that they are trying to answer, as opposed to simply parroting the
question they've been asked.
But it seems to me that this solution would be more resistant to
cache pollution problems, and I wonder if it wouldn't also address
some of the issues that Dan Bernstein has raised in the past.
Can anyone else think of any other solutions to this problem that
we're having? Well, other than knee-capping Marc Roger, that is? ;-)
Also, is there something fundamentally flawed in the way I'm
thinking that perhaps caching/recursive nameservers should be
working? Are there other chapters I should go re-re-re-read again?
These are my opinions -- not to be taken as official Skynet policy
Brad Knowles, <blk at skynet.be> || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels
http://www.skynet.be || Belgium
More information about the bind-workers