Knowledge Base ISC Main Website Ask a Question/Contact ISC
Changes to NS RRset caching strategy in BIND 9.6-ESV-R6, 9.7.5, 9.8.2 and 9.9.0
Author: Mark Andrews Reference Number: AA-00620 Views: 111 Created: 2012-02-22 02:05 Last Updated: 2012-02-22 23:55 0 Rating/ Voters

Introduction:

In the DNS a parent zone is authoritative for the presence of a delegation (NS RRset in the parent zone) but the child zone is authoritative for the contents of the NS RRset.   These NS RRsets are supposed to be loosely synchronised  with both the parent and child zone operators both responsible for keeping the contents the same as well as any glue address records for the name servers.

Named can learn the contents of a NS RRset three ways:

  • by a referral from the parent zone to the child zone
  • by a explicit query for the NS records (externally triggered or as part of DNSSEC validation)
  • as authoritative data returned along with responses to other queries
The last two, usually, result in named potentially updating a existing cached NS RRset.  How this is done is important in terms of distributing subsequent queries to the zone to the current name servers for the zone and in the speed with with changes to the NS RRset propagate.   Named needs to honour both the presence/absence of the NS RRset in the parent zone and the contents.  As the child is authoritative for the NS records contents it is not possible to avoid updating the NS RRset and still validate it with DNSSEC.

Previous Behaviour:

Prior to this change named would trim the received TTL of NS RRsets that did not change.   This prevented resolvers staying  locked on to old name servers that could happen with mismanaged DNS operator changes where the old operator continued to serve the old zone content.  With a properly managed DNS operator change all name servers for a zone serve the same zone content modulo zone transfer delays.   Named didn't however trim the TTL of  NS RRset that did change when storing them in the cache.

This honoured the contents of the NS RRset but not the presence/absence of the delegation.

New Behaviour:

Named now remembers the TTL of the NS RRset when looking up records in a zone and trims the TTL of any NS RRset, with the same owner name, in the response to that value.   This is done to ensure that the removal of a delegation is detected.

This honours both the contents of the NS RRset and the presence/absence of the delegation.


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu