[SURBL-Discuss] RFC: Drop multi.surbl.org rbldnsd TTL?

Mike Atkinson mikea at kconline.com
Fri Jul 23 16:58:26 CEST 2004


On 7/22/2004 at 6:05 PM, Jeff Chan wrote:

> Should we decrease the TTL on the rbldnsd version of
> multi.surbl.org?

> version of multi are the default for the entire file which is
> currently 28800 (8 hours).

> Obviously that's quite a bit longer than the 90 minutes now used
> on ws or the 10 minutes for sc, so some multi/rbldnsd records

> I could probably read the RFCs or source code, but does
> anyone know if DNS implementations cache negative hits to
> the default TTL.  In other words if a new record gets added
> to a list, do caching name servers (that negatively cached it
> before, i.e., got queried and said "I don't have that") get
> the new record immediately or only after some TTL expires.

I think that BIND will cache negative answers for 3 hours from an
authoritative name server without regard to any other TTL settings in
the zone.  It is possible to leave out the SOA record in the RBLDNSD zone
and then BIND will see the remote name server as non-authoritative and
will not cache the negative response.  (Excerpts from man pages below.)

This means that if, for instance, my site is one of the earlier ones to
get hit by a spam with a new URL that ends up in the SURBL; we are not
going to see it as listed for up to 3 hours.  I'm experimenting with
'max-ncache-ttl 3600;' in my named.conf and may drop that lower.  3600
doesn't seem to be a problem for the last several hours.

As far as the TTL for entries; I'm not overly concerned about lingering
entries in multi.surbl.org (which is what we are using.)  I think that
90-180 minutes would be a good range for that.

======
>From 'man named.conf'

max-ncache-ttl

To reduce network traffic and increase performance the server stores
negative answers. max-ncache-ttl is used to set a maximum retention time
for these answers in the server is seconds. The default max-ncache-ttl
is 10800 seconds (3 hours).

---

>From 'man rbldnsd'

It is recommended, but not mandatory to specify SOA record for every
zone. If no SOA is given, negative replies will not be cacheable by
caching nameservers.

-- 
 Mike Atkinson - mikea at kconline.com




More information about the Discuss mailing list