negative caching and TTL
Mark Andrews
marka at isc.org
Thu Jul 1 02:59:29 UTC 2010
In message <AANLkTilSBFrzbBauc54WdLQhMkCwLiCvzJRDQxcCKXnd at mail.gmail.com>, aldu
s jung writes:
> Hi, I am hoping to learn more about how BIND v 9.7.0 implements negative
> caching of
> delegated subdomains. I've tested and found that BIND observes a different
> TTL for
> name errors than I would expect it to abide by, but that could be my lack
> of understanding of what TTL a DNS server is supposed to abide by in this
> situation.
>
> (I've changed the actual domain names as they are only used in our internal
> network and
> you can't get to it from the internet anyway.)
>
> We have abc.com that BIND 9.7.0 is authoritative for.
> And in named.hosts of (host: bind1.abc.com), we have:
>
> xyz 30 IN NS dns1.abc.com.
> xyz 30 IN NS dns2.abc.com.
>
>
> On bind1.abc.com, if you query for a host that doesn't exist, this is dig's
> output:
> > dig nohost.xyz.abc.com @bind1.abc.com
> ; <<>> DiG 9.3.5-P1 <<>> nohost.xyz.abc.com @bind1.abc.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1298
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;nohost.xyz.abc.com. IN A
>
> ;; AUTHORITY SECTION:
> xyz.abc.com. 10800 IN SOA localhost. admin.abc.com. 1 60 3600
> 604800 3600
>
> >From my tests, Bind is observing the '10800' TTL for nohost.xyz.abc.com, not
> '3600' that's
> in the SOA minimum field.
>
> The question is why is the TTL of the SOA record used for caching negative
> answers, not
> the TTL in the SOA minimum field?
>
> Reading http://www.dns.net/dnsrd/rfc/rfc2308.html, it says:
>
> "Name servers authoritative for a zone MUST include the SOA record of the
> zone in the
> authority section of the response when reporting an NXDOMAIN or indicating
> that no data
> of the requested type exists. This is required so that the response may be
> cached.
> The TTL of this record is set from the minimum of the MINIMUM field of the
> SOA record
> and the TTL of the SOA itself, and indicates how long a resolver may cache
> the negative answer."
>
> And that doesn't seem clear to me, as TTL of the negative response is cached
> from BOTH the
> minimum field and the TTL of the SOA record?
>
> But in Bind, it seems like it's taking the TTL of the SOA. If anyone has an
> explanation to this,
> please chime in. thanks.
>
> AJ
Named honoured the TTL of the negative response it got from the child zone
within the bound set by max-ncache-ttl.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list