Package: bind9 Version: 1:9.11.5.P4+dfsg-5.1+deb10u1 Severity: normal Dear Maintainer,
We run a Debian10 recursive resolver with DNSSEC-validation disabled, and discovered that it puts negative answers in cache at TTL of 3hours (10800s), regardless of SOA's MININUM field. Example query against a problem resolver: $ dig @127.0.0.1 nx-domain.xyz | grep SOA xyz. 10800 IN SOA ...snip snip... 3600 # rndc dumpdb -cache # grep nx-domain /var/cache/bind/named_dump.db nx-domain.xyz. 10800 \-ANY ...snip... With DNSSEC validation enabled, the negative answer is cached correctly for 3600s. As a workaround, we set min-ncache-ttl a bit bigger than the affected internal zone's MINIMUM, and could keep dnssec-validation no. The min-ncache-ttl patch for 9.11 series misplaced `view->maxncachettl` into `view->minncachettl` position in ncache_message (patch 003_min_cache_ttl.diff lines 236 to 238, compared to lines in validated() above). This is also present in stretch-backports patch. This patch was dropped from bind9 9.12 packages onward, so sid/experimental doesn't have this bug. Please help refresh the patch, thank you. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser 3.118 ii bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u1 ii debconf [debconf-2.0] 1.5.71 ii dns-root-data 2019031302 ii libbind9-161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcom-err2 1.44.5-1+deb10u3 ii libdns1104 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libfstrm0 0.4.0-1 ii libgeoip1 1.6.12-1 ii libgssapi-krb5-2 1.17-3 ii libisc1100 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libisccc161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libisccfg163 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libjson-c3 0.12.1+ds-2 ii libk5crypto3 1.17-3 ii libkrb5-3 1.17-3 ii liblmdb0 0.9.22-1 ii liblwres161 1:9.11.5.P4+dfsg-5.1+deb10u1 ii libprotobuf-c1 1.3.1-1+b1 ii libssl1.1 1.1.1d-0+deb10u3 ii libxml2 2.9.4+dfsg1-7+b3 ii lsb-base 10.2019051400 ii net-tools 1.60+git20180626.aebd88e-1 ii netbase 5.6 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc <none> ii dnsutils 1:9.11.5.P4+dfsg-5.1+deb10u1 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.options changed: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation no; listen-on-v6 { any; }; }; -- debconf information: bind9/different-configuration-file: bind9/start-as-user: bind bind9/run-resolvconf: false