0-TTL when querying "invalid" soa

Tom tomtux007 at gmail.com
Tue Jan 29 15:23:56 UTC 2019


Hi list

The following "invalid" soa-query responds with NXDOMAIN and with a ttl 
of 0 for the SOA-Record in the authoritative section:
$ dig +norec +noquestion @ns1.yahoo.com. soa asfasdfdas.yahoo.com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norec +noquestion 
@ns1.yahoo.com. soa asfasdfdas.yahoo.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42800
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1272
; COOKIE: 352e18e0eb38280a875e08255c506acd96bbdf698575699e (good)
;; AUTHORITY SECTION:
yahoo.com.		0	IN	SOA	ns1.yahoo.com. hostmaster.yahoo-inc.com. 2019012908 
3600 300 1814400 600



When directly querying the "valid" soa record, then the correct ttl for 
the soa-record is shown:
~$ dig +norec +noquestion @ns1.yahoo.com. soa yahoo.com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norec +noquestion 
@ns1.yahoo.com. soa yahoo.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12677
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1272
; COOKIE: af18a9cdfa9d627675f37ac25c506ae626caee21d6718b5c (good)
;; ANSWER SECTION:
yahoo.com.		1800	IN	SOA	ns1.yahoo.com. hostmaster.yahoo-inc.com. 
2019012908 3600 300 1814400 600



When directly forcing an NXDOMAIN (query an A-record, which doesn't 
exist), then the correct ttl for negative-caching is shown:
$ dig +norec +noquestion @ns1.yahoo.com. asdfasfdasf.yahoo.com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norec +noquestion 
@ns1.yahoo.com. asdfasfdasf.yahoo.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15170
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1272
; COOKIE: 8050b624605c3cb9c99cb11e5c506b0d0bd93eb038992f6a (good)
;; AUTHORITY SECTION:
yahoo.com.		600	IN	SOA	ns1.yahoo.com. hostmaster.yahoo-inc.com. 
2019012908 3600 300 1814400 600




When querying the authoritative google-ns for "soa 
asdfasdfdas.google.com", then a ttl of 60s is shown:
$ dig +norec +noquestion @ns1.google.com. soa asdfasdfasd.google.com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> +norec +noquestion 
@ns1.google.com. soa asdfasdfasd.google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41492
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; AUTHORITY SECTION:
google.com.		60	IN	SOA	ns1.google.com. dns-admin.google.com. 231384568 
900 900 1800 60


We're running BIND-9.12.3-P1 on our authoritative servers and we have 
the same behavior with 0-ttl with a invalid soa-query. Is this 
bind-specific? Why does an invalid soa-record responds with 0-ttl in the 
authority-section?

Thank you.
Kind regards,
Tom


More information about the bind-users mailing list