DNSKEY NODATA responses not cached
Alexander Gall
gall at switch.ch
Wed Jan 12 08:06:47 UTC 2011
On Tue, 11 Jan 2011 18:46:39 +0100, Kalman Feher <kalman.feher at melbourneit.com.au> said:
> I'm curious whether the domain in question had a DS in the parent zone?
No, it didn't. The effect is there even if the parent zone does not
support DNSSEC. I stumbled over this while I was checking whether my
tools could properly handle turning on DNSSEC for an existing zone,
which involves having to wait for cached DNSKEY NODATA to expire from
caches before adding the DS.
> On 11/01/11 4:52 PM, "Chris Thompson" <cet1 at cam.ac.uk> wrote:
>> On Jan 11 2011, Alexander Gall wrote:
>>
>>> It appears that NODATA responses for qtype=DNSKEY are not cached if
>>> DNSSEC validation is enabled (tested with 9.7.2-P3). What is the
>>> rationale behind this?
>>
>> I confirm the effect (same release). Or rather, the NODATA does get cached,
>> as shown by a "!DNSKEY" count in the statistics display, but a new request
>> goes back to the authoritative servers again anyway, as shown by the outgoing
>> queries count and by the SOA in the authority section of the NODATA response
>> having its original value.
I'm tending towards calling this a bug :)
--
Alex
More information about the bind-users
mailing list