0

I have just realised my understanding of DNS caching must be at least slightly flawed, and I'm looking to correct my understanding.

When a domain name is registered, I understand that the nameservers for it are added in the root nameservers. I also understand that my zone file includes an SOA and NS records with TTLs.

Assuming I update the nameservers for example.com (and don't remove the old nameservers from answering), how long before the old nameservers are forgotten - ie what settings are used by DNS to cache the answer ? [ I can conceive that is the ns record TTLs, but I'm not sure this is right ]. What RFC's document expected behaviour ?

Relatedly, from a recursive server point of view, are SOA records used for anything, or are they purely for handling zone transfers ?

davidgo
  • 5,964
  • 2
  • 21
  • 38
  • RFC1912 states "...sometimes a nameserver is moved to another host or removed from the list of secondaries. Unfortunately due to caching of NS records, many sites will still think that a host is a secondary after that host has stopped providing nameservice.... In order to prevent lame delegations while the cache is being aged, continue to provide nameservice on the old nameserver for the length of the maximum of the minimum plus refresh times for the zone and the parent zone." - Does this mean the ttls on the NS records control the caching? – davidgo May 15 '18 at 23:51

1 Answers1

1

When a domain name is registered, I understand that the nameservers for it are added in the root nameservers

This is a common misconception. The root nameservers only know about the "top level domain" (TLD) nameservers. Your NS records were added to the registry for your TLD. The registry in turn publishes those NS records to the "TLD nameservers" for your TLD.

If you have access to the commandline dig utility, you can observe the full delegation path by running dig +trace example.com NS. . represents the root nameservers, and com. is the registry managed zone for the "dot com" TLD.

Does this mean the ttls on the NS records control the caching?

Yes. There are two sets of NS records that you need to be aware of. The first set is in your authoritative zone. The other set are in the delegation served by the TLD nameservers. (refer to the dig +trace example.com output from the prior example)

When changing your nameserver IPs, the data needs to continue living on the old servers until the larger of these two TTLs sets have expired. The TLD nameservers typically have TTLs measured in days.

If this is confusing, think of it this way: you have no way of controlling which of these two TTLs that servers on the internet have seen most recently. You also have no control over whether DNS servers choose to prefer one set of NS records over the other. The only thing you can to is ensure that you've waited for the longer of the two intervals.

Relatedly, from a recursive server point of view, are SOA records used for anything, or are they purely for handling zone transfers ?

The numeric intervals defined in the SOA record are mostly used for communication between your master and secondary servers. The last field, SOA.MINIMUM, is special and used by recursive DNS servers when calculating how long they are allowed to cache the non-existence of a DNS record. (formula is min(SOA TTL,SOA.MINIMUM), see RFC 2308)

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Thank you for this. Am I correct in understanding that the delegation served by the TLD (or in this case appropriate CCTLD nameservers) is not typically something you can adjust (in my case .AU and .NZ) - I am unaware of anything obvious at my registrars I can adjust. – davidgo May 16 '18 at 05:02
  • @davidgo If you mean whether you can adjust the TTL served by the registry, the answer is no. All you can do is specify the servers that will be in the delegation they respond with. – Andrew B May 16 '18 at 06:11