[Pdns-users] Some PowerDNS Recursor oddities

Darren Gamble darren.gamble at sjrb.ca
Thu May 18 17:49:19 UTC 2006

Hi Bert,

This was the issue described in my second message.  I'll explain it here
with an example, and everyone can just draw their own conclusions.

Let us assume the domain example.com is being hosted on
ns1.providera.com and ns2.providera.com.  The .com servers and the
authoritative servers have the right NS records, with a TTL of 2D.  An A
record for www.example.com exists on the zone, with a TTL of, say, 2H.

Now, a client asks a cache for www.example.com.  The cache will go get
the data, and cache both the NS records and the A record for www.
Further queries in the next 2H get the cached data.

When the cached data expires, the cache will go ask ns1.provider.com or
ns2.providera.com for the information again.  The servers will happily
respond with the answer, and will provide its NS records in the
authority section, too.  The cache will re-cache the A record- but, what
about those NS records?

The cache may choose to update its cache with these NS records.  If it
does so, if the cache continues to get queries for records in this zone,
these NS records will never expire- they will be continually updated
from ns1.providera.com and ns2.providera.com.  The cache will never go
back to the .com servers to see if they have changed.

So is this good or bad?  On the good side, the cache doesn't need to
spend resources periodically going back to the .com servers for data.
On the bad side, often users will change the providers for their zones,
and they or their old provider (frequently the latter) will not remove
the zone from the old server.  So, again assuming that the cache is
still getting queries for the zone, it will NEVER get the domains' new
servers until the cache is dumped or something.

Obviously, the correct way to perform this sort of change is to make the
old servers not authoritative for the zone when the NS records on the
higher-level server change.  In our experience, this very often does not
happen.  Often the user doesn't even have a business relationship with
their old provider anymore, which makes it much more difficult for them
to have this change done (sometimes we can help them out).  This
particular situation happens a couple times a week, perhaps?

Microsoft's DNS server and djbdns will behave in this way.  BIND,
MaraDNS and Network Registrar appear to be more "smart" enough to know
when and when not to update its caches- they won't re-update their
caches for these NS TTLs in this way, instead always reasking the parent
servers when the TTL expires.  PowerDNS should be unaffected because- as
per the previous conversation- the NS records on these servers are not
used at all, letting them always expire (I think?).  But, if you change
this behavior... then you'll need to consider this situation.

Sorry for the verbosity, but, we wanted to explain the situation in its
entirety.  Let us know if you'd like any more information.  

Darren Gamble
Planner, Regional Services
Shaw Cablesystems GP
630 - 3rd Avenue SW
Calgary, Alberta, Canada
T2P 4L4
(403) 781-4948

> -----Original Message-----
> From: bert hubert [mailto:bert.hubert at netherlabs.nl]
> Sent: Thursday, May 18, 2006 3:53 AM
> To: Darren Gamble
> Cc: pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] Some PowerDNS Recursor oddities
> On Wed, May 17, 2006 at 10:08:06AM -0600, Darren Gamble wrote:
> > second situation I described where you have "older" servers still
> > authoritative a zone that they shouldn't be, which causes a
> > significantly larger issue.
> Do you have references to this problem? I'd like to know what other
> nameservers do, and how big the problem is.
> Thanks.
> --
> http://www.PowerDNS.com      Open source, database driven DNS Software
> http://netherlabs.nl              Open and Closed source services

More information about the Pdns-users mailing list