Re: NS TTL Discrepancy??

On Sunday 15 February 2004 06:44 pm, R. Scott Perry wrote:

> It seems that the real problem is with NS A records that have a TTL
> that differs from the NS records. But, if there is a NS TTL
> discrepancy, there is likely a TTL difference between the NS record
> and the NS's A record.

Are you writing that if my NS records and A records for ns1.exmaple.com
have the same TTL I'm okay in spite of what dnsreport says?

Or am I "stuck" with using 172800 for nameservers even just before the
very occasional move of a nameserver to a different IP#?

I changed my nameservers' TTLs down to 600 a few months ago before a
move and didn't ever move them back <frown>.

I'm going to change them back to 172800 now that this thread has brought
the problem to my attention (yes; I agree I was rude to leave them that
way, but I thought I should move them before a move, to expect fastest
resolution afterwards).

I'll change both the A and NS record TTLs, as it looks like you're
saying that's the problem.

> Again, this appears to be a recently discovered issue, and delves
> into the depths of DNS that few people venture into, so there isn't
> much information about it yet.

I hope that once the issue is better understood someone will post a
complete explanation here.

Jeff
--
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA 92517 US
Professional Internet Services & Support / Consulting / Colocation
Our blists address used on lists is for list email only
Phone +1 909 324-9706, or see: "http://www.nobaloney.net/contactus.html"

> > It seems that the real problem is with NS A records that have a TTL
> > that differs from the NS records. But, if there is a NS TTL
> > discrepancy, there is likely a TTL difference between the NS record
> > and the NS's A record.
>
> Are you writing that if my NS records and A records for ns1.exmaple.com
> have the same TTL I'm okay in spite of what dnsreport says?

Probably.

> Or am I "stuck" with using 172800 for nameservers even just before the
> very occasional move of a nameserver to a different IP#?
>
> I changed my nameservers' TTLs down to 600 a few months ago before a
> move and didn't ever move them back <frown>.

Unfortunately, lots of people do that. But it can only cause
problems.

While it is good practice to lower the TTL of *most* DNS records that
are about to change (so that the change takes effect as quickly as
possible after it is made), you have no control over the TTL of your
NS records (or the A records of your authoritative DNS servers). Your
parent servers (X.gtld-servers.net for .com/.net domains) hand those
out. And only they can choose the TTL.

If you start changing the records that you don't control, they may
leak out. If they leak out, and they aren't handled properly, people
may no longer be able to access any part of your domain (no E-mail, no
web site, etc.). See my previous post for a scenario on how this can
happen.

So the best practice is to have the TTLs for your NS records and A
records for authoritative DNS servers the same as what the parent
servers hand out. And, there is no reason to change those records
before making any DNS change. And, you must never allow the NS
records and A records for authoritative DNS servers have different
TTLs.
-Scott