I did a bit more testing and found that the time the data is cached for does
appear to coincide with the TTL for the domain, though this is likely to be
really coinciding with the Minimum TTL, as it is the same value.
Here's the SOA record for one of our AD Domains:
Answer section:
SOA-record for redacted.com:
Primary DNS server = redacted
Responsible person = redacted
Serial number = 270261
Refresh interval = 86400
Retry interval = 600
Expire interval = 432000
Default / minimum TTL = 14400
TTL = 14400 (4 hours)
According to the RFC, the minimum TTL is actually used for two different
purposes: 1. As a Default TTL value and 2. As the TTL for negative responses.
This may cause an issue when we add new records, in that the people who handle
DNS administration would need to specify a different TTL value (assuming this
value acts as the default).
If at all possible, I'd like to control this on the DNS server itself instead
of relying on the remote DNS server to be configured with reasonable values.
-----Original Message-----
From: Ondřej Surý [mailto:[email protected]]
Sent: Tuesday, January 31, 2012 10:27 AM
To: Paul Taylor
Cc: [email protected]
Subject: Re: [Unbound-users] TTL for Negative Responses
Setting MINIMUM value in SOA doesn't help? (RFC 2308)
On Mon, Jan 30, 2012 at 21:26, Paul Taylor <[email protected]> wrote:
> Another DNS product I’ve looked at has two options relative to max cache
> time… A time for Positive responses, and a different time for Negative
> responses.
>
>
>
> We are looking for this because on our local domain, sometimes servers
> unregister in Active Directory DNS upon reboot. This just happened today
> with one of our servers. After the reboot, it was no longer in DNS. Since
> Unbound forwards our local domains to our AD DNS servers, it didn’t give us
> a response for this DNS name. I manually ran ipconfig /registerdns on the
> server once we determined what had happened and within a few minutes, it was
> resolving again in AD, but some 10 minutes later it was still returning no
> address when we queried our test Unbound server. Finally, I recycled
> Unbound, and then queried it for this name, and it returned the expected
> IP.
>
>
>
> I’m not 100% sure what happened, but it looks like Unbound queried the AD
> DNS servers and cached a negative response for this hostname. It looks like
> Unbound then kept this cached information until I restarted Unbound.
>
>
>
> Ideally, we’d like to have a “negative cache ttl” set to 60 or 120 seconds,
> so when a host unregisters itself, then re-registers, Unbound would pick up
> on the re-registration fairly quickly, instead of caching the negative
> response… (Assuming this is what happened above)
>
>
> Am I requesting a new feature? Or is there an existing setting that does
> this that I’ve overlooked?
>
>
>
> Thanks,
> Paul
>
>
> _______________________________________________
> Unbound-users mailing list
> [email protected]
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
Ondřej Surý <[email protected]>
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
