Name server changes TTL
Kevin Darcy
kcd at daimlerchrysler.com
Fri Dec 19 19:28:38 UTC 2003
Albert wrote:
>Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<brspss$2fen$1 at sf1.isc.org>...
>
>
>
>>That SOA RR is really a negative caching record. See RFC 2308 for more
>>details.
>>
>>
>> - Kevin
>>
>>
>
>Kevin, thanks a lot for replying. I've read RFC 2308 carefully but I
>still can't come to a clear conclusion. I have a user who says:
>
>"the name server corrupts the 'Name Error' reply from the
>authoritative name server tld1.ultradns.net in response to the query
>for the Address of www.no-such-domain-123abc.org. The server have
>changed the Time To Live of the returned SOA record in the Authority
>section to a value smaller than the Minimum Time To Live of that SOA
>record, which makes the replies invalid."
>
>My questions are therefore:
>
>- is it incorrect to return a TTL smaller than the Minimum TTL in the
>case of a NXDOMAIN response?
>
The SOA "minimum" field *no*longer* means the minimum TTL for RRs in the
zone:
Section 4 of RFC 2308:
> The SOA minimum field has been overloaded in the past to have three
> different meanings, the minimum TTL value of all RRs in a zone, the
> default TTL of RRs which did not contain a TTL value and the TTL of
> negative responses.
>
> Despite being the original defined meaning, the first of these, the
> minimum TTL value of all RRs in a zone, has never in practice been
> used and is hereby deprecated.
>
The SOA "minimum" field now has a *different* meaning:
Section 5:
> Like normal answers negative answers have a time to live (TTL). As
> there is no record in the answer section to which this TTL can be
> applied, the TTL must be carried by another method. This is done by
> including the SOA record from the zone in the authority section of
> the reply. When the authoritative server creates this record its TTL
> is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.
> This TTL decrements in a similar manner to a normal cached answer and
> upon reaching zero (0) indicates the cached negative answer MUST NOT
> be used again.
>
>- does that make the response from my server "invalid"?
>
No, not at all. Your user is clueless.
>- is this a feature of BIND 9.2.1?
>
It's a feature of any modern standards-conforming resolver or nameserver
implementation.
>- can this behavior be changed and how?
>
I suppose you could hack the code to make it standards-non-compliant.
Why would you want to?
- Kevin
More information about the bind-users
mailing list