[dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Mark Andrews marka at isc.org
Thu Mar 8 20:47:47 UTC 2018 

> On 9 Mar 2018, at 12:59 am, James Stevens <James.Stevens at jrcs.co.uk> wrote:
> 
> RFC2308/3 defines the negative-cache TTL as the TTL on the SOA record sent in a negative-response - i.e. the less of SOA/TTL and SOA/MIN
> 
> 2308/3 : "indicates how long a resolver may cache the negative answer”

You use these values to work out how long to CACHE FOR.  The SOA’s TTL counts down while it is cached like any other record in a cache.  If you have signed responses the TTLs on the NSEC and NSEC3 records also count down.

> Where as RFC2308/4 defines the negative-cache TTL as SOA/MIN
> 
> 2308/4 : "the TTL to be used for negative responses, is the new defined meaning of the SOA minimum field”

Which defines the negative TTL the authoritative servers emit.  It is also used to set the TTL of the NSEC and NSEC3 records when they are generated.

> Where SOA/TTL is less than SOA/MIN this seems to create a conflict as to how long to cache negative-responses.

There is no conflict.  There are explicit instructions to the cache the negative response.  Just follow them.

> On 07/03/18 23:26, Andrew White wrote:
>> Hi all,
>> As we Shirley all often do, I was browsing RFC2308 ( https://tools.ietf.org/html/rfc2308 ) and noticed that a caching resolver is supposed to cache negative answers for "x" seconds, where x is the lower of these two values: SOA MIN field and SOA TTL.
>> The excerpt in question (emphasis mine):
>>    Name servers authoritative for a zone MUST include the SOA record of
>>    the zone in the authority section of the response when reporting an
>>    NXDOMAIN or indicating that no data of the requested type exists.
>>    This is required so that the response may be cached.*The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer.*   The TTL SIG record associated with the
>>    SOA record should also be trimmed in line with the SOA's TTL.
>> I posit that this implies that a given zone's SOA TTL and SOA MIN should generally be the same.
>> However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?
>> Andrew
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list