[Pdns-users] Unresolvable domains with 3.1.1 and "auth-can-lower-ttl"

[Darren Gamble]

Good day,

 

We just yesterday deployed the 3.1.1 recursor in one of our regions, and
have noted a handful of domains with problems when the
"auth-can-lower-ttl" attribute is set on the server.   I noted that some
users here reported some problems with 3.1.1 on their servers - this
could be the reason

 

The problem is that, with this option, the recursor can end up with
different NS data for the same name with varying TTL values.  This
happens if the "lower" servers do not include some NS records that are
present on the "registrar" servers, and with lower TTL values.  When
this happens, the lower TTL records will expire, leaving only the
records with the higher TTLs. If that server(s) is/are also not
reachable- then the domain will be unresolvable until that NS record
expires.  When it does, this cycle will start again.  I believe that
different data for the same name is never supposed to have differing TTL
values anyway...

 

At the time of this message, "ocis.net" and "ipcc.ca" are examples of
this situation.

 

We took a look at how some other caching software handles this situation
- nearly all of them have an implicit "auth-can-lower-ttl", but, they
all also just completely replace the NS records with those on the
"lower" servers, thus still leaving a set of NS records on the cache
that all have the same (lower) TTL.

 

We'd really prefer to not to disable "auth-can-lower-ttl" on these new
pdns servers as we know this will draw different complaints from users
who are migrating their domains.

 

Is there any other recourse here?

 

Thanks!

 

============================
Darren Gamble
Planner, Regional Services
Shaw Cablesystems GP
630 - 3rd Avenue SW
Calgary, Alberta, Canada
T2P 4L4
(403) 781-4948

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20060613/a6c777a2/attachment.html>