Time out for a terminology check--"resolver" vs "server".

Mon Feb 15 02:24:04 UTC 2010

On Sun, Feb 14, 2010 at 7:55 PM, Larry Sheldon <LarrySheldon at cox.net> wrote:
> I understand that--but it the TTL is being managed correctly the server
> answering authoritatively ought to stop doing so when the TTL runs out,
> since it will not have had its authority renewed.

The TTL  can  never "run out"  on an authoritative nameserver,  the
TTL given for a query response is always the  full TTL of the  RR
that  a  dns admin populated the zone with.

The only way an authoritative nameserver  should  expire and become
non-authoritative (without administrative action) for a record is the
case where it is a slave server,  and  it  fails  to  receive updates
from the master for an entire zone before  the  "EXPIRE"   period
defined in the zone's  SOA  (in seconds) elapses.

After the expire value, then, the zone is no longer authoritative on the slave.
This is normally set to a very large number,  such as   604800 or 2419200
(7 or 30 days, respectively).

> The glue and all of that stuff won't expire at TTL=0?
> I'll have to study that a bit.

Which type of glue are you referring to?
TTL only indicates the expiration time of resolver cached information
after the resolver has already returned the complete response.

Additional sections provided  expire from resolver cache, when TTL of
the RR in the additional secretion is decremented from  zero.
SOAs always have a TTL of zero, anyways.

A TTL of zero just prohibits caching  (and some unruly resolvers or
web browsers  violate the standard ignore the  prohibition against
caching)..   DNS pinning, and they call this breach of  standard a
"security"  feature.

Also,  BIND  implements the  EXPIRE  value in the SOA.
But  other DNS server software applications widely ignore this value,
and the zone stays authoritative on all servers,  no matter how much
time elapses between updates  (in that case).

--
-J