1

I've configured many servers in my company to work with NSCD for local caching of hosts and in order to lower traffic to the local DNS servers as well as return a quicker DNS response when possible.

I've configured nscd like so and only using it for caching hosts: 

logfile                 /var/log/nscd.log
debug-level             9
server-user           nscd 

paranoia                no

enable-cache            hosts           yes
#positive-time-to-live   hosts           3600
positive-time-to-live   hosts           86400
negative-time-to-live   hosts           20
suggested-size          hosts           211
check-files             hosts           yes
persistent              hosts           yes
shared                  hosts           yes
#max-db-size             hosts   67108864
max-db-size             hosts   536870912

You can see that I've configured Positive-TTL to 24 hours.

My question is, which TTL is the one used? The one which is configured here or the one which is configured per domain in the DNS?

My guess is that the shorter TTL is the one that takes place but I could be wrong, can you please shed some light on this matter?

Itai Ganot
  • 10,644
  • 29
  • 93
  • 146
  • 1
    `nscd` is not only caching DNS requests but lots of other things which don't have their own TTL field. So it is possible those settings are only for information it retrieved through other protocols than DNS. But more likely it completely ignores the TTL field from the DNS reply and caches for as long as you specified in the configuration file. A definitive answer would be nice, I only have guesses. – kasperd Oct 18 '15 at 09:09

1 Answers1

5

It's important to note that nscd acts as a cache for the resolver system in general, not specifically for DNS lookups but all means of name lookups.
As a result of this, nscd has historically had issues dealing with the DNS TTLs.

Versions of glibc nscd from before 2004-09-15 did not deal properly with DNS TTLs.
When that was resolved, glibc nscd still only dealt with DNS TTLs if the application called getaddrinfo; if an application called the obsolete gethostbyname functions the DNS TTL values were still ignored.

To my understanding the glibc maintainers finally caved in glibc 2.8 (2008) and made the behavior consistent across all the name lookup methods. Current versions should use the DNS TTLs regardless of how the lookup was initiated.

See also:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335476
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669304
https://sourceware.org/ml/libc-alpha/2008-04/msg00050.html
https://sourceware.org/bugzilla/show_bug.cgi?id=4428
http://udrepper.livejournal.com/16362.html

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • nscd on Solaris used to cause me so much trouble it was the first thing I would disable on a system. – user9517 Oct 18 '15 at 19:25