Fred, Most of the details are in RFC 2308 (Negative Caching of DNS Queries).
On Sat, Apr 6, 2024 at 9:16 AM Fred Morris <m3...@m3047.net> wrote: > So the answer is in two parts. > > 1) An SOA record is required in the AUTHORITY section. The TTL on the > negative answer is established by the TTL on this record. > > 2) "TTL on this record" means the literal TTL applied to the SOA record, > not e.g. the minimum TTL specified within the SOA record. Yes, from the resolver's point of view - it just needs to use the SOA record's TTL itself to countdown (or bound) the negative response in its cache. However, the authoritative server providing the negative response does need to set the SOA's TTL to be the minimum of the SOA MINIMUM field and the TTL of the SOA itself. Relevant text from RFC 2308 DNS Negative Caching 3 - Negative Answers from Authoritative Servers Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. This is required so that the response may be cached. The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer. The TTL SIG record associated with the SOA record should also be trimmed in line with the SOA's TTL. If the containing zone is signed [RFC2065] the SOA and appropriate NXT and SIG records MUST be added. > I'd also appreciate (from someone who's read the code) a statement of > what the intended semantics are, before I go read the code myself. > Presuming that the ANSWER:0 response is authoritative, is there any > expectation regarding content in the ADDITIONAL or AUTHORITATIVE > sections which affects this behavior? NS? SOA? Only the SOA in the Authority is required. And if the response is from a signed zone, the SOA signature, and the relevant signed NSEC/NSEC3 records that prove non-existence of the name or type are required too. NS and any nameserver addresses are optional (and are less often seen these days since many nameserver operators use a minimal response configuration that omits optional data). Shumon.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users