0-TTL when querying "invalid" soa
Mukund Sivaraman
muks at mukund.org
Tue Jan 29 15:48:38 UTC 2019
On Tue, Jan 29, 2019 at 04:23:56PM +0100, Tom wrote:
> We're running BIND-9.12.3-P1 on our authoritative servers and we have the
> same behavior with 0-ttl with a invalid soa-query. Is this bind-specific?
> Why does an invalid soa-record responds with 0-ttl in the authority-section?
It appears to have been added so that a client that tries to find the
containing zone of an arbitrary name by making SOA queries doesn't
pollute a resolver's cache (and other intermediate caches if any) with
NXDOMAIN entries that are likely only going to be useful for that
client. It is a BIND implementation detail though it could be
implemented similarly by other nameservers too.
In this age of random subdomain attacks where NX cache entries due to
such attacks pollute the cache and are cleared up more aggressively,
perhaps this sort of handling is no longer needed.
Mukund
More information about the bind-users
mailing list