> On Feb 25, 2016, at 2:17 PM, John Levine <[email protected]> wrote:
>
>> You query for "m" ...
>
>> Meanwhile, at the authority, "m" is added and "ll" is deleted. ...
>
>> You query for "l". ...
>
>> Meanwhile at the authority, everything but @ is deleted.
>
> This doesn't strike me as a very persuasive argument. The DNS is not
> Oracle, and has never promised to be perfectly coherent. If my cache
> queries you for x, you say x doesn't exist, then you add x to the
> server, my cache will continue to say x doesn't exist until the TTL
> for the cache entry expires. This shouldn't surprise anyone.
Well said. I agree.
>
>
> Synthesized NXDOMAINs slightly increase the range of x for which
> cached answers might be stale, but it's hard to see that as a big
> deal. If your applications depend on up to date cached data, use
> short TTLs like everyone else does. For example, I see the SOA for
> www.nominum.com have a TTL of one minute.
Since cheese-shop is specific to the root zone, the TTLs are already
well known (and, I think, unlikely to change). The document says:
For the limited use case of this document (the DNS root) we believe
that this is an acceptable trade off - the (current) TTL of the
"negative cache" (in the SOA) is the same as the NSEC TTL (1 day).
This means that, for a new TLD to begin resolving everywhere will
require a minimum of a day - and this is true whether or not this is
implemented (if someone had queried for the exact name, there would
be a negatively cached answer, this simply expands the range of
negative caches).
I would note, however, that one popular implementation limits negative
caching to 3 hours by default:
[bind-9.9.2rc1]$ grep ncache bin/named/config.c
max-ncache-ttl 10800; /* 3 hours */\n\
In other words, today (as a BIND user) you might only have to wait 3 hours
when a new TLD is added, not the whole SOA minimum.
For implementations that treat "positive" and "negative" cache entries
separately, perhaps the document should say whether a validated proof of
non-existence should be considered "positive" or "negative."
DW
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
