----- "paul e" <list-outages@dragon.net> wrote:

...

...

Update: Unfortunately, for many, this outage seems to have lasted longer than an hour. It appears that many ISPs=92 DNS resolvers do not honor the so-called Negative Cache TTL that we send (1 hour), and instead use a longer value. We have circumvented this problem by renaming the affected DNS record to something else.

cmadams> I'm curious: what software/settings are these "many ISPs" using cmadams> that does this? I've seen this mentioned before, but BIND for cmadams> example doesn't have an option to do this IIRC.

ncache is set on the auth server for the zone, in the SOA record. It's the 'minimum' timer, the last of the 4 timers after serial number. See RFC 2308 for how negative caching works.

Any RFC compliant resolver should deal with this correctly. BIND does the correct thing, both on the auth server side and as a recursive resolver.

Is it possible that the condition being discussed -- which I have also heard alleged before, without citation, has something to do with section 14.5.7, at: http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch14_05.htm Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Start a man a fire, and he'll be warm all night. Set a man on fire, and he'll be warm for the rest of his life.