On Sun, Feb 14, 2010 at 7:55 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
I understand that--but it the TTL is being managed correctly the server answering authoritatively ought to stop doing so when the TTL runs out, since it will not have had its authority renewed.
The TTL can never "run out" on an authoritative nameserver, the TTL given for a query response is always the full TTL of the RR that a dns admin populated the zone with. The only way an authoritative nameserver should expire and become non-authoritative (without administrative action) for a record is the case where it is a slave server, and it fails to receive updates from the master for an entire zone before the "EXPIRE" period defined in the zone's SOA (in seconds) elapses. After the expire value, then, the zone is no longer authoritative on the slave. This is normally set to a very large number, such as 604800 or 2419200 (7 or 30 days, respectively).
The glue and all of that stuff won't expire at TTL=0? I'll have to study that a bit.
Which type of glue are you referring to? TTL only indicates the expiration time of resolver cached information after the resolver has already returned the complete response. Additional sections provided expire from resolver cache, when TTL of the RR in the additional secretion is decremented from zero. SOAs always have a TTL of zero, anyways. A TTL of zero just prohibits caching (and some unruly resolvers or web browsers violate the standard ignore the prohibition against caching).. DNS pinning, and they call this breach of standard a "security" feature. Also, BIND implements the EXPIRE value in the SOA. But other DNS server software applications widely ignore this value, and the zone stays authoritative on all servers, no matter how much time elapses between updates (in that case). -- -J