httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <>
Subject Re: security holes and other fun stuff
Date Wed, 17 Jul 1996 11:21:19 GMT
Dean Gaudet writes:
 > In article <>,
 > Paul Richards  <> wrote:
 > >Incidentally, your DNS settings are a little odd. Having a ttl of 1/2
 > >day when your zone transfers only happen daily seems redundant to me
 > >since you can't update your tables more than once a day so why force
 > >clients to expire the cache twice a day.
 > Well the time an old record should live is the zone timeout plus the
 > record timeout, so I'm at a 1.5 day theoretical record change time now.

How often do you make changes to a record? A 1/2 day ttl seems very low for
a "running" server.

A ttl of 1/2 day forces queries to hit the server at least twice a day. This
is redundant since the secondary will not pick up changes more than once
a day so queries that hit the secondary will always get the same response
within a 24 hour period so the client may as well be allowed to cache the
data for that long. I think your DNS is somewhat mis-configured in this

If you did make a change on the primary then clients will pick up that
change if they hit the primary within 12 hours but if they access the
secondary they'll get the out of date record since the secondary only
refreshes every 24 hours. The ttl should never be less than the refresh
value otherwise clients timeout more often than the secondaries refresh
and may then get old data from the secondaries. This is one type of
misconfiguaration that can cause the problems you raised originally with
clients still trying to connect to old addresses. Not likely in your
case since your values are so low.

Of course, care when updating DNS (say by pushing the data by hand to
the secondaries) can overcome these problems but that makes the whole
thing redundant, you may as well run with no refresh and infinite

I assume when you talk about zone timeout you're talking about the
refresh value?

View raw message