[Techtalk] Stupid DNS questions
Magni Onsoien
magnio+lc-techtalk at pvv.ntnu.no
Tue Mar 9 18:46:48 EST 2004
On 2004-03-08 23:19:08 -0800, Kai MacTane said:
> I must confess, I don't quite get the TTL.
As Mary said in another posting, this is for caching nameservers.
But there are actually 2 different TTLs to worry about - both TTL in the
SOA record of the zone, and the $TTL in the beginning of the zone file.
The SOA TTL is the negative TTL, which is the time negative datas abour
the zone is cached. If someone asks for blurb.puzzling.org (which doesn't
exist), data about this will be cached for 24 hours and you will never
get a positive reply for blurb.puzzling.org until the cache has expired.
This is definitely an issue if you are testing a new hostname and happens
to ask your NS for it _before_ you have successfully reloaded the zone
file (we have never reloaded without increasing the serial, have we?).
$TTL is pretty new, I think it's implemented from bind9, and is what we
think of as TTL today: the time (positive) data is cached by caching
nameservers.
The SOA TTL should be relatively low, like 10 minutes, to make it possible
for you to continue without restarting bind if you make a little typo when
adding and testing names :-)
$TTL, however, should be longer, to avoid high load on your name server
because data was cached too short and you thus have to provide the data
again and again to caching servers. I'd say 24 hours is ok in a normal
situation, and there are rarely situations where a longer TTL is convenient
- but certainly those where a low $TTL is good: imagine you are changing
MX for a site, and after you have changed DNS to the new server you find a
bug that will make the new server bounce all mail. Then it's nice to be
able to switch back to the old one fast :-) Or if you are changing
webserver to another provider and don't want ANY traffic to the old site
after the change - then set $TTL low at least ${old $TTL} time before you
are changing things.
If you are making automatic scripts and interfaces to change this, make
sure it's possible to override them, especially if you are an ISP or by
other reasons provided DNS to third parties. There are always someone who
need a different TTL or $TTL for some reason, temporarily or permanent, and
then it's really annoying (and it looks unprofessional when viewed from the
outside) if the change isn't possible. I think a good interface should
allow (an admin?) to set TTL and $TTL to whatever she wants, with a comment
explaining the exception from normal values, and also an (optional) time
limit would be nice - but don't change back to default values automatically
when this limit is reached - send a mail to a responsible person (the person
requesting the change, perhaps) and ask if it's ok first.
Authorative on negative cahcing is RFC 2308:
http://www.faqs.org/rfcs/rfc2308.html
Magni :)
--
sash is very good for you.
More information about the Techtalk
mailing list