[Techtalk] Stupid DNS questions

Tue Mar 9 18:46:48 EST 2004

On 2004-03-08 23:19:08 -0800, Kai MacTane said:
> I must confess, I don't quite get the TTL.

As Mary said in another posting, this is for caching nameservers.
But there are actually 2 different TTLs to worry about - both TTL in the 
SOA record of the zone, and the $TTL in the beginning of the zone file.

The SOA TTL is the negative TTL, which is the time negative datas abour 
the zone is cached. If someone asks for blurb.puzzling.org (which doesn't 
exist), data about this will be cached for 24 hours and you will never 
get a positive reply for blurb.puzzling.org until the cache has expired. 

This is definitely an issue if you are testing a new hostname and happens 
to ask your NS for it _before_ you have successfully reloaded the zone 
file (we have never reloaded without increasing the serial, have we?).

$TTL is pretty new, I think it's implemented from bind9, and is what we 
think of as TTL today: the time (positive) data is cached by caching
nameservers. 

The SOA TTL should be relatively low, like 10 minutes, to make it possible 
for you to continue without restarting bind if you make a little typo when
adding and testing names :-)

$TTL, however, should be longer, to avoid high load on your name server 
because data was cached too short and you thus have to provide the data 
again and again to caching servers. I'd say 24 hours is ok in a normal 
situation, and there are rarely situations where a longer TTL is convenient 
- but certainly those where a low $TTL is good: imagine you are changing 
MX for a site, and after you have changed DNS to the new server you find a 
bug that will make the new server bounce all mail. Then it's nice to be 
able to switch back to the old one fast :-) Or if you are changing 
webserver to another provider and don't want ANY traffic to the old site 
after the change - then set $TTL low at least ${old $TTL} time before you 
are changing things.

If you are making automatic scripts and interfaces to change this, make 
sure it's possible to override them, especially if you are an ISP or by 
other reasons provided DNS to third parties. There are always someone who 
need a different TTL or $TTL for some reason, temporarily or permanent, and 
then it's really annoying (and it looks unprofessional when viewed from the 
outside) if the change isn't possible. I think a good interface should 
allow (an admin?) to set TTL and $TTL to whatever she wants, with a comment
explaining the exception from normal values, and also an (optional) time 
limit would be nice - but don't change back to default values automatically 
when this limit is reached - send a mail to a responsible person (the person 
requesting the change, perhaps) and ask if it's ok first.

Authorative on negative cahcing is RFC 2308: 
http://www.faqs.org/rfcs/rfc2308.html

Magni :)
-- 
sash is very good for you.