zero SOA TTL - still best practice?
Alexander Gall
gall at switch.ch
Thu Aug 26 14:52:36 UTC 2010
Hello Karl
On Thu, 26 Aug 2010 23:17:29 +1000, Karl Auer <kauer at biplane.com.au> said:
> Some time ago (at least six years) I wrote a program that, among many
> other related operations, creates new zones for a nameserver. This
> program creates new zones that have a TTL value of zero for the SOA
> record.
> That's what RFC1035 seems to say it should do. When describing TTLs, it
> says "For example, SOA records are always distributed with a zero TTL to
> prohibit caching."
RFC 2181 section 7.2 clarifies that this advice should be ignored.
> That isn't very prescriptive, now that I think about it. It doesn't say
> that it should or must happen - just that it happens. But it does make
> sense to me, now as then - why would anyone want to cache an SOA?
> There's a sort-of-related BIND config item, "zero-no-soa-ttl", the
> description of which states:
> "When returning authoritative negative responses to SOA queries set
> the TTL of the SOA record returned in the authority section to
> zero. The default is yes."
> That's only for negative responses, and only for SOA queries. Still, it
> does seem to suggest that other people think there's generally no need
> to cache SOA records, and especially not negatively.
> Anyway, I just received an email from someone who runs a secondary for
> us saying that he was getting a constant 50 qps for a non-existent RR.
> He says that if our SOA had a non-zero TTL, it would get cached and the
> problem would move downstream and that would be nice. He *also* says
> that the SOA TTL acts as an upper bound for the negative caching TTL.
[I'm that guy :]
> I don't think he is right on either count. The querying nameserver gets
> an SOA record returned, and in that record is the negative caching TTL
> it should use. That is, it may not cache the SOA, but it isn't *looking*
> for the SOA. It's getting one as a side effect of looking up something
> that doesn't exist. The TTL of the SOA is not having any effect here.
RFC 2308, section 3
The TTL of this [SOA record in authority section of negative response]
record is set from the minimum of the MINIMUM field of the SOA record
and the TTL of the SOA itself, and indicates how long a resolver may
cache the negative answer.
> That said, a non-zero SOA TTL certainly seems to be common, perhaps the
> norm.
I don't think so. This was an issue for the org zone as well (with
further implications for DNSKEY records), see
<https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/thread.html#4018>
> So to my questions:
> - have I got totally and completely the wrong end of the stick here?
My reading of the specs would suggest that.
> - should I update my program to allow non-zero SOA TTLs?
Yes, unless I'm the one with the wrong end of the stick :)
--
Alex
More information about the bind-users
mailing list