Hi, I am hoping to learn more about how BIND v 9.7.0 implements negative caching of delegated subdomains. I've tested and found that BIND observes a different TTL for name errors than I would expect it to abide by, but that could be my lack of understanding of what TTL a DNS server is supposed to abide by in this situation.
(I've changed the actual domain names as they are only used in our internal network and you can't get to it from the internet anyway.) We have abc.com that BIND 9.7.0 is authoritative for. And in named.hosts of (host: bind1.abc.com), we have: xyz 30 IN NS dns1.abc.com. xyz 30 IN NS dns2.abc.com. On bind1.abc.com, if you query for a host that doesn't exist, this is dig's output: > dig nohost.xyz.abc.com @bind1.abc.com ; <<>> DiG 9.3.5-P1 <<>> nohost.xyz.abc.com @bind1.abc.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1298 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nohost.xyz.abc.com. IN A ;; AUTHORITY SECTION: xyz.abc.com. 10800 IN SOA localhost. admin.abc.com. 1 60 3600 604800 3600 >From my tests, Bind is observing the '10800' TTL for nohost.xyz.abc.com, not '3600' that's in the SOA minimum field. The question is why is the TTL of the SOA record used for caching negative answers, not the TTL in the SOA minimum field? Reading http://www.dns.net/dnsrd/rfc/rfc2308.html, it says: "Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. This is required so that the response may be cached. The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer." And that doesn't seem clear to me, as TTL of the negative response is cached from BOTH the minimum field and the TTL of the SOA record? But in Bind, it seems like it's taking the TTL of the SOA. If anyone has an explanation to this, please chime in. thanks. AJ
_______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users