Fred,
Most of the details are in RFC 2308 (Negative Caching of DNS Queries).
On Sat, Apr 6, 2024 at 9:16 AM Fred Morris <m3...@m3047.net> wrote:
> So the answer is in two parts.
>
> 1) An SOA record is required in the AUTHORITY section. The TTL on the
> negative answer is established by the TTL on this record.
>
> 2) "TTL on this record" means the literal TTL applied to the SOA record,
> not e.g. the minimum TTL specified within the SOA record.
Yes, from the resolver's point of view - it just needs to use the SOA
record's
TTL itself to countdown (or bound) the negative response in its cache.
However, the authoritative server providing the negative response does
need to set the SOA's TTL to be the minimum of the SOA MINIMUM field
and the TTL of the SOA itself.
Relevant text from RFC 2308 DNS Negative Caching
3 - Negative Answers from Authoritative Servers
Name servers authoritative for a zone MUST include the SOA
record of
the zone in the authority section of the response when reporting
an
NXDOMAIN or indicating that no data of the requested type exists.
This is required so that the response may be cached. The TTL of
this
record is set from the minimum of the MINIMUM field of the SOA
record
and the TTL of the SOA itself, and indicates how long a resolver
may
cache the negative answer. The TTL SIG record associated with
the
SOA record should also be trimmed in line with the SOA's TTL.
If the containing zone is signed [RFC2065] the SOA and
appropriate
NXT and SIG records MUST be added.
> I'd also appreciate (from someone who's read the code) a statement of
> what the intended semantics are, before I go read the code myself.
> Presuming that the ANSWER:0 response is authoritative, is there any
> expectation regarding content in the ADDITIONAL or AUTHORITATIVE
> sections which affects this behavior? NS? SOA?
Only the SOA in the Authority is required. And if the response is from a
signed zone, the SOA signature, and the relevant signed NSEC/NSEC3
records that prove non-existence of the name or type are required too.
NS and any nameserver addresses are optional (and are less often seen
these days since many nameserver operators use a minimal response
configuration that omits optional data).
Shumon.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
