Re: BIND caching of nxdomain responses
On Fri, Oct 22, 2021 at 9:57 AM Dan Hanks wrote: > > Greetings, > > As I understand RFC 2308, when receiving an NXDOMAIN response, and when > deciding how long to cache that NXDOMAIN response, a resolver should use > whichever value is lower of the SOA TTL, and the SOA.minimum value as the > length of time to cache the NXDOMAIN. I've done a more careful reading of the text in RFC2308. It states, "Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. This is required so that the response may be cached. ***The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself***, and indicates how long a resolver may cache the negative answer. The TTL SIG record associated with the SOA record should also be trimmed in line with the SOA's TTL." (emphasis added) I interpret this to mean that an authoritative resolver should set the TTL on the SOA record included in the AUTHORITY section of an NXDOMAIN response to be the minimum of the zone SOA TTL, and the SOA.minimum field. It does not look like Route53 is doing this. I am guessing that BIND is interpreting RFC2308 this way as well, and using the TTL value of the SOA record in the nxdomain response to determine how long to cache the nxdomain response. Can anybody confirm this? Thanks, Dan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND caching of nxdomain responses
On Fri, Oct 22, 2021 at 10:29 AM Matus UHLAR - fantomas wrote: > > On 22.10.21 09:57, Dan Hanks wrote: > >As I understand RFC 2308, when receiving an NXDOMAIN response, and when > >deciding how long to cache that NXDOMAIN response, a resolver should use > >whichever value is lower of the SOA TTL, and the SOA.minimum value as the > >length of time to cache the NXDOMAIN. > > > >I have a situation where I am seeing different behavior from that in BIND. > >Given the following SOA record: > > > >azure.mongodb.net. 900 IN SOA ns-1430.awsdns-50.org. > >awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60 > > > >I am finding that BIND (9.11.x) is caching the NXDOMAIN response for 900s > >(SOA TTL), instead of the expected 60s (SOA.minimum). > > > >I have noticed that many auth servers out there will drop the SOA TTL to > >match the SOA.minimum value when attaching the SOA record to an NXDOMAIN > >response. Is BIND expecting this to happen, and just opting to use the SOA > >TTL value (and not the SOA.minimum value if they disagree)? > > are you authoritative server for azure.mongodb.net? > if not, BIND will use cache time that came from authoritative server adn > won't parse the SOA itself. I am not authoritative, I'm just making recursive queries against this domain. When you say, "BIND will use cache time that came from authoritative server", what 'cache time' are you referring to? Are you referring to the values in the SOA record included in the AUTHORITY section of the NXDOMAIN response? Thanks, Dan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND caching of nxdomain responses
Greetings, As I understand RFC 2308, when receiving an NXDOMAIN response, and when deciding how long to cache that NXDOMAIN response, a resolver should use whichever value is lower of the SOA TTL, and the SOA.minimum value as the length of time to cache the NXDOMAIN. I have a situation where I am seeing different behavior from that in BIND. Given the following SOA record: azure.mongodb.net. 900 IN SOA ns-1430.awsdns-50.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60 I am finding that BIND (9.11.x) is caching the NXDOMAIN response for 900s (SOA TTL), instead of the expected 60s (SOA.minimum). I have noticed that many auth servers out there will drop the SOA TTL to match the SOA.minimum value when attaching the SOA record to an NXDOMAIN response. Is BIND expecting this to happen, and just opting to use the SOA TTL value (and not the SOA.minimum value if they disagree)? Thanks for any insight, Dan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
