answers from cache- verification

[Kevin Darcy]

Alan Clegg wrote:
> Louis Luciano wrote:
>   
>> Do you know the cleanest way to verify that repeated DNS requests to a
>> caching-only DNS 9.3.2 nameserver are truly being satisfied from cache?
>>     
> Watch for a decreasing TTL.
>
>   
Well, _theoretically_ the TTL of the RRset on the master could be 
changing over time, so declining TTL values is technically only a 
_heuristic_ method of verifying that the answers are coming from cache.

I suppose one could intersperse SOA queries in between the probe queries 
in order to confirm that the zone did not change, but how rigorous do we 
want to be here? The better way, surely, is to see if there is any 
"backend" query traffic between the putative caching resolver and the 
authoritative server(s) for the zone.

On 9.4.x or higher, of course, another option presents itself: restrict 
cache access via allow-query-cache, and thereby see if the queries fail.

                                                                         
                           - Kevin