[Dnsmasq-discuss] Per entry TTL override

Simon Kelley simon at thekelleys.org.uk
Sat Apr 5 19:20:55 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/04/14 23:10, Olivier Mauras wrote:
> 
> 
> On Thu, 2014-04-03 at 21:37 +0100, Simon Kelley wrote:
>> On 02/04/14 22:32, Olivier Mauras wrote:
>>> 
>>> 
>>> On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
>>>> Hello,
>>>> 
>>>> Is it thinkable to allow a per entry TTL override system ? I
>>>> have actually two different needs that i'd like to discuss.
>>>> First NXDOMAINS. I'd like to cache NXDOMAIN from some
>>>> forwarded domains to a specific value. Cache time based on
>>>> default SOA TTL may be too long in some cases and requires a
>>>> manual cache refresh :( Easy example: Infra team provisions a
>>>> new server and ping the hostname asked to see if it's not
>>>> already taken - Yes they could act differently It's not, so
>>>> result is cached and will stay for 1H - default SOA TTL.
>>>> Server provisioning takes 10mn, and hostname is still cached
>>>> as NX for 50mn :(
>>>> 
>>>> Second is entry override. Some specific DNS entries could
>>>> have a different TTL than the default one - But not globally
>>>> per entry gives much more flexibility :)
>>>> 
>>>> 
>>>> Would that make sense to have a binding for request replies
>>>> - like the dhcp lua script support - or would this make more
>>>> sense as specific harcoded options? If this makes any sense
>>>> at all indeed :)
>>>> 
>>>> 
>>>> Thanks, Olivier
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>>> 
Seemed like i had a double neg-ttl declared in my config and my
>>> command line at the same time which make it to not be
>>> correctly handled... Also seems that no matter what neg-ttl is
>>> set to, the first NXDOMAIN on a cold cache, always get the SOA
>>> TTL, am i missing something ?
>> 
>> neg-ttl does not override the SOA TTL, it provides a TTL for
>> NXDOMAIN if the upstream server doesn't include an SOA. (Lots of
>> ISP nameservers seem to strip that information for "bandwidth
>> saving") If you upstream servers include SOA, as they should,
>> then neg-ttl will have no effect.
>>> 
>>> 
>>> Any feedback on per entry TTL override
>> 
>> I'm not sure about that, it seems to me to be fiddly and prone
>> to errors. You first example could be fixed by using
>> --no-negcache. It would be less efficient, but it would always
>> work. If you're going to set a TTL in that case, what's the
>> correct value that will always work? I don't think there is one.
>> 
>> I'm interested in other opinions.
>> 
>> 
>> Cheers,
>> 
>> 
>> Simon.
>> 
>>> 
>>> 
>>> Thanks, Olivier
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> True that no-negcache would fix my first example, but wouldn't
> caching for a definite time be more efficient?

How much does a cache miss cost. Why bother tuning the TTLs and
_still_ risking that you've made them too long and something breaks.
Caching is an optimisation. If an optimisation can lead to different
results in in the system, then it's broken and should be turned off,
not tweaked so it breaks less often.
> 
> I actually have weird behavior when cascading dnsmasq instances. 
> 127.0.0.1 forwarding to a dnsmasq instance, forwarding to an
> unbound server... 127.0.0.1 on first query receives the SOA TTL,
> but as the forwarded dnsmasq instance has cached, it returns 0 as
> TTL. So clearing cache on 127.0.0.1 and asking again same query
> will return with neg-ttl as the TTL.

That's because dnsmasq doesn't cache SOA's so cascaded dnsmasq
instances can lose the SOA TTL information.

> I agree it's pretty particular but having a "neg-cache-ttl" would 
> prevent this _and_ be efficient enough :)
> 
> That was for NXDOMAINS, what about overriding TTL for standard
> entry? opinions?

I'm not clear what you're suggesting. Override local names, from
/etc/hosts etc. They get "0" TTLS now. Or names loaded from uspstream
nameservers?


Cheers,

Simon

> 
> 
> Thanks, Olivier
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNAV5cACgkQKPyGmiibgrcA1gCdHsfqguiD0M+TG0aBEecYxp0T
4A4An2wIJMihLh35/NCAR1Z826nd5FFt
=hjfA
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list