Skip to content
This repository has been archived by the owner on Nov 13, 2018. It is now read-only.

Override SOA TTL in authority section for non-DNSSEC requests resulting in negative response (NXDOMAIN) #841

Closed
elsloo opened this issue Dec 7, 2015 · 0 comments · Fixed by #954

Comments

@elsloo
Copy link
Contributor

elsloo commented Dec 7, 2015

In a negative response case such as an NXDOMAIN we append the SOA in the authority section. It may be necessary to override the SOA's TTL and make it in line with the minimum/ncache TTL field. We have observed BIND caching the negative response for the RFC-defined three hour maximum when the SOA's TTL is > than 10800 (it silently truncates 86400 down to 10800), and it completely ignores the minimum/ncache field.

This does not occur when the DO (DNSSEC OK) flag is set, as jdnssec uses the minimum/ncache TTL for the TTL of the NSEC records which are included in the authority section's RRset. BIND will use the lowest TTL in the RRset, so when DO is not set, it uses the TTL of the SOA, and when it is set, it uses the TTL on the NSEC records, which due to jdnssec's implementation is the SOA's minimum/ncache value.

Investigate the RFC, BIND's behavior, and if necessary modify the TTL to prevent long caches of negative responses.

@elsloo elsloo added this to the 1.4.0 milestone Dec 7, 2015
elsloo added a commit to elsloo/traffic_control that referenced this issue Jan 21, 2016
… negative responses when DNSSEC is not enabled. This closes Comcast#841.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant