[sclug] DNS caching brokenness

Simon Huggins huggie at earth.li
Sat Jan 28 10:54:00 UTC 2006 

Do you know why it took so long for your message to get to the list btw?

On Tue, Jan 24, 2006 at 06:59:19PM +0000, Simon Heywood wrote:
> I've been trying to diagnose a problem with one of the DNS resolvers run
> by my ADSL provider, Zen Internet. Six days ago I redelegated one of my
> domains (triv.org.uk) to a new set of authoritative name servers, but
> the resolver in question still hands out the old records:

> ----------
> $ date; host -v -t ns triv.org.uk 212.23.3.100
> Tue Jan 24 18:32:36 GMT 2006
> ;; ANSWER SECTION:
> triv.org.uk.            72364   IN      NS      ns3.mydyndns.org.
[..]
> The records in question all had TTLs of twenty-four hours, and the
> delegation records in the parent zone had TTLs of forty-eight hours
> (although I'm not sure if that matters), so I'd expect the resolver to
> have fetched fresh records by now.

> Initially, Zen Internet's support people suggested that this was because
> the SOA expire value was set to seven days, but I pointed out that
> resolvers have no business even looking at that value.

> Now they're suggesting it's because DynDNS's name servers are still claiming
> authority on the zone. Am I being dumb, or is it up to the resolver to
> get fresh information along the path of delegation? I can't see why the
> old NS records should stay around any longer than their TTL.

http://www.squish.net/dnscheck/ is useful for demonstrating that your
setup is entirely right btw.

I can't explain this.  If I check DNS and Bind then it does indeed say,
as you'd expect, you can only cache records according to their TTL.  You
didn't break the zone that ns0.triv.org.uk returned to have the wrong NS
records for a while did you?

I would have thought that the normal operation would be NS records that
they cached for triv.org.uk would expire, they would then ask .uk
nameservers about them, get the new records and all would be well with
the world.  The only spanner in the works I can see would be if when it
finally got to ns0.triv.org.uk, that your server returned the old bogus
NS records (possibly with a longer TTL too) - that could confuse them
suitably but still.

Do you know what they run as their recursive DNS servers?  Maybe they
have some aggressive caching parameters set to break TTLs.  I believe
NTL do weird DNS things (or possibly it's their webcache I haven't
looked personally, just seen reports).

But no, basically I'm stumped.

Oh hrm, you have TCP port 53 closed.  Is that deliberate?

If you want something to be incredibly picky over zones you have to (of
course) ask the .fr registry's tool [0] but even http://www.zonecheck.fr/demo/
doesn't seem to have any errors that would cause this.

Simon.

[0] Having lived in France for 2 years, I do love them but they do know
    how to make someone registring a domain's life misery.

-- 
Just another wannabie |  "The machine is dead" - Deep  |  Just another fool
----------------------+             Throat             +-------------------
This message was brought to you by the letter M and the number  4.
htag.pl 0.0.22 -- http://www.earth.li/projectpurple/progs/htag.html

More information about the Sclug mailing list