[dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Mats Dufberg mats.dufberg at iis.se
Thu Mar 8 00:54:47 UTC 2018

RFC 1035 (https://tools.ietf.org/html/rfc1035) says on page 20

Whenever a RR is sent in a response to a
query, the TTL field is set to the maximum of the TTL field from the RR
and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
bound on the TTL field for all RRs in a zone.  Note that this use of
MINIMUM should occur when the RRs are copied into the response and not
when the zone is loaded from a master file or via a zone transfer.

This means that there could be a value of keeping SOA TTL lower than SOA MINIMUM to make negative caching shorter than normal caching.

I am not sure, however, that bind has implemented it in this way. I think that it respects whatever TTL that you have set on the RRs in the zone file independent on the SOA MINIMUM. I cannot find any RFC changing the specification, however.


Mats Dufberg
DNS Specialist, IIS
Mobile: +46 73 065 3899

From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Andrew White <andrew at vivalibre.com>
Date: Wednesday 7 March 2018 at 20:02
To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: [dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Hi all,
As we Shirley all often do, I was browsing RFC2308 ( https://tools.ietf.org/html/rfc2308 ) and noticed that a caching resolver is supposed to cache negative answers for "x" seconds, where x is the lower of these two values: SOA MIN field and SOA TTL.
The excerpt in question (emphasis mine):

   Name servers authoritative for a zone MUST include the SOA record of

   the zone in the authority section of the response when reporting an

   NXDOMAIN or indicating that no data of the requested type exists.

   This is required so that the response may be cached.  The TTL of this

   record is set from the minimum of the MINIMUM field of the SOA record

   and the TTL of the SOA itself, and indicates how long a resolver may

   cache the negative answer.  The TTL SIG record associated with the

   SOA record should also be trimmed in line with the SOA's TTL.

I posit that this implies that a given zone's SOA TTL and SOA MIN should generally be the same.
However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180308/4a1d00f0/attachment.html>

More information about the dns-operations mailing list