On 7/22/2004 at 6:05 PM, Jeff Chan wrote:
Should we decrease the TTL on the rbldnsd version of multi.surbl.org?
version of multi are the default for the entire file which is currently 28800 (8 hours).
Obviously that's quite a bit longer than the 90 minutes now used on ws or the 10 minutes for sc, so some multi/rbldnsd records
I could probably read the RFCs or source code, but does anyone know if DNS implementations cache negative hits to the default TTL. In other words if a new record gets added to a list, do caching name servers (that negatively cached it before, i.e., got queried and said "I don't have that") get the new record immediately or only after some TTL expires.
I think that BIND will cache negative answers for 3 hours from an authoritative name server without regard to any other TTL settings in the zone. It is possible to leave out the SOA record in the RBLDNSD zone and then BIND will see the remote name server as non-authoritative and will not cache the negative response. (Excerpts from man pages below.)
This means that if, for instance, my site is one of the earlier ones to get hit by a spam with a new URL that ends up in the SURBL; we are not going to see it as listed for up to 3 hours. I'm experimenting with 'max-ncache-ttl 3600;' in my named.conf and may drop that lower. 3600 doesn't seem to be a problem for the last several hours.
As far as the TTL for entries; I'm not overly concerned about lingering entries in multi.surbl.org (which is what we are using.) I think that 90-180 minutes would be a good range for that.
======
From 'man named.conf'
max-ncache-ttl
To reduce network traffic and increase performance the server stores negative answers. max-ncache-ttl is used to set a maximum retention time for these answers in the server is seconds. The default max-ncache-ttl is 10800 seconds (3 hours).
---
From 'man rbldnsd'
It is recommended, but not mandatory to specify SOA record for every zone. If no SOA is given, negative replies will not be cacheable by caching nameservers.