Hi, I am hoping to learn more about how BIND v 9.7.0 implements negative
caching of
delegated subdomains.  I've tested and found that BIND observes a different
TTL for
name errors than I would expect it to abide by, but that could be my lack
of understanding of what TTL a DNS server is supposed to abide by in this

(I've changed the actual domain names as they are only used in our internal
network and
you can't get to it from the internet anyway.)

We have abc.com that BIND 9.7.0 is authoritative for.
And in named.hosts of (host: bind1.abc.com), we have:

xyz         30  IN   NS         dns1.abc.com.
xyz         30  IN   NS         dns2.abc.com.

On bind1.abc.com, if you query for a host that doesn't exist, this is dig's
> dig nohost.xyz.abc.com @bind1.abc.com
; <<>> DiG 9.3.5-P1 <<>> nohost.xyz.abc.com @bind1.abc.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1298
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;nohost.xyz.abc.com.                IN      A

xyz.abc.com.     10800   IN      SOA     localhost. admin.abc.com. 1 60 3600
604800 3600

>From my tests, Bind is observing the '10800' TTL for nohost.xyz.abc.com, not
'3600' that's
in the SOA minimum field.

The question is why is the TTL of the SOA record used for caching negative
answers, not
the TTL in the SOA minimum field?

Reading http://www.dns.net/dnsrd/rfc/rfc2308.html, it says:

"Name servers authoritative for a zone MUST include the SOA record of the
zone in the
authority section of the response when reporting an NXDOMAIN or indicating
that no data
of the requested type exists. This is required so that the response may be
The TTL of this record is set from the minimum of the MINIMUM field of the
SOA record
and the TTL of the SOA itself, and indicates how long a resolver may cache
the negative answer."

And that doesn't seem clear to me, as TTL of the negative response is cached
from BOTH the
minimum field and the TTL of the SOA record?

But in Bind, it seems like it's taking the TTL of the SOA.  If anyone has an
explanation to this,
please chime in.  thanks.

bind-users mailing list

Reply via email to