negative caching and TTL

[Mark Andrews]

In message <AANLkTilSBFrzbBauc54WdLQhMkCwLiCvzJRDQxcCKXnd at mail.gmail.com>, aldu
s jung writes:
> Hi, I am hoping to learn more about how BIND v 9.7.0 implements negative
> caching of
> delegated subdomains.  I've tested and found that BIND observes a different
> TTL for
> name errors than I would expect it to abide by, but that could be my lack
> of understanding of what TTL a DNS server is supposed to abide by in this
> situation.
> 
> (I've changed the actual domain names as they are only used in our internal
> network and
> you can't get to it from the internet anyway.)
> 
> We have abc.com that BIND 9.7.0 is authoritative for.
> And in named.hosts of (host: bind1.abc.com), we have:
> 
> xyz         30  IN   NS         dns1.abc.com.
> xyz         30  IN   NS         dns2.abc.com.
> 
> 
> On bind1.abc.com, if you query for a host that doesn't exist, this is dig's
> output:
> > dig nohost.xyz.abc.com @bind1.abc.com
> ; <<>> DiG 9.3.5-P1 <<>> nohost.xyz.abc.com @bind1.abc.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1298
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nohost.xyz.abc.com.                IN      A
> 
> ;; AUTHORITY SECTION:
> xyz.abc.com.     10800   IN      SOA     localhost. admin.abc.com. 1 60 3600
> 604800 3600
> 
> >From my tests, Bind is observing the '10800' TTL for nohost.xyz.abc.com, not
> '3600' that's
> in the SOA minimum field.
> 
> The question is why is the TTL of the SOA record used for caching negative
> answers, not
> the TTL in the SOA minimum field?
> 
> Reading http://www.dns.net/dnsrd/rfc/rfc2308.html, it says:
> 
> "Name servers authoritative for a zone MUST include the SOA record of the
> zone in the
> authority section of the response when reporting an NXDOMAIN or indicating
> that no data
> of the requested type exists. This is required so that the response may be
> cached.
> The TTL of this record is set from the minimum of the MINIMUM field of the
> SOA record
> and the TTL of the SOA itself, and indicates how long a resolver may cache
> the negative answer."
> 
> And that doesn't seem clear to me, as TTL of the negative response is cached
> from BOTH the
> minimum field and the TTL of the SOA record?
> 
> But in Bind, it seems like it's taking the TTL of the SOA.  If anyone has an
> explanation to this,
> please chime in.  thanks.
> 
> AJ

Named honoured the TTL of the negative response it got from the child zone
within the bound set by max-ncache-ttl.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org