This repository has been archived by the owner on Nov 13, 2018. It is now read-only.
Override SOA TTL in authority section for non-DNSSEC requests resulting in negative response (NXDOMAIN) #841
Labels
Milestone
In a negative response case such as an NXDOMAIN we append the SOA in the authority section. It may be necessary to override the SOA's TTL and make it in line with the minimum/ncache TTL field. We have observed BIND caching the negative response for the RFC-defined three hour maximum when the SOA's TTL is > than 10800 (it silently truncates 86400 down to 10800), and it completely ignores the minimum/ncache field.
This does not occur when the DO (DNSSEC OK) flag is set, as jdnssec uses the minimum/ncache TTL for the TTL of the NSEC records which are included in the authority section's RRset. BIND will use the lowest TTL in the RRset, so when DO is not set, it uses the TTL of the SOA, and when it is set, it uses the TTL on the NSEC records, which due to jdnssec's implementation is the SOA's minimum/ncache value.
Investigate the RFC, BIND's behavior, and if necessary modify the TTL to prevent long caches of negative responses.
The text was updated successfully, but these errors were encountered: