But to answer your question, off-hand, I'd say that any TTL under 60s is
=
suspicious and any TTL under 10s is almost certainly intentionally =
abusive.
On 09.02.18 23:11, John Levine wrote:
I hope you're not planning to do much spam filtering.
On Sat, Feb 10, 2018 at 2:42 PM, Matus UHLAR - fantomas
<uh...@fantomas.sk> wrote:
do you have any evidence where enforcing a 5s minumum leads to serious
problems?
On 10.02.18 19:41, Warren Kumari wrote:
Ok, so I've never used forwarders (actually, that's not strictly true;
I've used them twice, but it was to work around weird issues, and I
felt dirty), but couldn't increasing the TTL cause stupid
configuration issues to become immortal RRs?
we are talking about min-ttl around 10 seconds.
I've seen a number of instances where people who *do* forward manage
to make a loop - this works just fine under normal conditions (at
least with BIND's default of "forward first" - resolver A gets a
question for an answer not in it's cache, it asks B, B asks A, after a
few rounds this hits the forward timeout, and one of them recurses to
find the answer. Now the pair (or pathologically, group) has the
answer, and this will decay, just like any other TTL. Eventually it
expires, you get a brief spike as they both ask each other, and the
process repeats.
If TTLs were capped to a minimum, A would time it out, and ask B. B
will respond with e.g 4 seconds, and A will bump that back up to 5. 4
seconds later, B will time out, and will ask A. A still has 1 second
left, to it answers with 1. B helpfully bumps that back to 5, 1 second
later, A expires, and forwards to B, ...
Now, I'm guessing that I'm missing something obvious here (more than
"Well, don't forward and minimum cap TTLs!" and / or "Don't make loops
of forwarders, it's silly"), but I'm not sure what...
OTOH, I have encountered case where CISCO ALG changed A recods and set TTL
to 0, later admin was complaining about huge number of DNS queries causing
high load on the router...
there are many ways to fsck things up, and many ways wayt so avoid that.
forcing min-ttl is way to avoid one, although it can cause what you
describe. But I do not create loops and would like a possibility to avoid
the latter case.
Note that I am able to coifigure BIND to avoid loops, but I can't affect
CISCO ALG ...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
