BIND caching of nxdomain responses
Dan Hanks
danhanks at gmail.com
Fri Oct 22 17:22:47 UTC 2021
On Fri, Oct 22, 2021 at 9:57 AM Dan Hanks <danhanks at gmail.com> wrote:
>
> Greetings,
>
> As I understand RFC 2308, when receiving an NXDOMAIN response, and when deciding how long to cache that NXDOMAIN response, a resolver should use whichever value is lower of the SOA TTL, and the SOA.minimum value as the length of time to cache the NXDOMAIN.
I've done a more careful reading of the text in RFC2308. It states,
"Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists. This
is required so that the response may be cached. ***The TTL of this
record is set from the minimum of the MINIMUM field of the SOA record
and the TTL of the SOA itself***, and indicates how long a resolver
may cache the negative answer. The TTL SIG record associated with the
SOA record should also be trimmed in line with the SOA's TTL."
(emphasis added)
I interpret this to mean that an authoritative resolver should set the
TTL on the SOA record included in the AUTHORITY section of an NXDOMAIN
response to be the minimum of the zone SOA TTL, and the SOA.minimum
field. It does not look like Route53 is doing this. I am guessing that
BIND is interpreting RFC2308 this way as well, and using the TTL value
of the SOA record in the nxdomain response to determine how long to
cache the nxdomain response. Can anybody confirm this?
Thanks,
Dan
More information about the bind-users
mailing list