> On Feb 25, 2016, at 2:17 PM, John Levine <[email protected]> wrote:
> 
>> You query for "m" ...
> 
>> Meanwhile, at the authority, "m" is added and "ll" is deleted. ...
> 
>> You query for "l". ...
> 
>> Meanwhile at the authority, everything but @ is deleted.
> 
> This doesn't strike me as a very persuasive argument.  The DNS is not
> Oracle, and has never promised to be perfectly coherent.  If my cache
> queries you for x, you say x doesn't exist, then you add x to the
> server, my cache will continue to say x doesn't exist until the TTL
> for the cache entry expires.  This shouldn't surprise anyone.

Well said.  I agree.


>  
> 
> Synthesized NXDOMAINs slightly increase the range of x for which
> cached answers might be stale, but it's hard to see that as a big
> deal.  If your applications depend on up to date cached data, use
> short TTLs like everyone else does.  For example, I see the SOA for
> www.nominum.com have a TTL of one minute.


Since cheese-shop is specific to the root zone, the TTLs are already
well known (and, I think, unlikely to change).   The document says:

   For the limited use case of this document (the DNS root) we believe
   that this is an acceptable trade off - the (current) TTL of the
   "negative cache" (in the SOA) is the same as the NSEC TTL (1 day).
   This means that, for a new TLD to begin resolving everywhere will
   require a minimum of a day - and this is true whether or not this is
   implemented (if someone had queried for the exact name, there would
   be a negatively cached answer, this simply expands the range of
   negative caches).

I would note, however, that one popular implementation limits negative
caching to 3 hours by default:

  [bind-9.9.2rc1]$ grep ncache bin/named/config.c 
        max-ncache-ttl 10800; /* 3 hours */\n\

In other words, today (as a BIND user) you might only have to wait 3 hours
when a new TLD is added, not the whole SOA minimum.

For implementations that treat "positive" and "negative" cache entries
separately, perhaps the document should say whether a validated proof of
non-existence should be considered "positive" or "negative."

DW



_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to