[dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Mark Andrews marka at isc.org
Sun Mar 11 23:11:54 UTC 2018 

> On 12 Mar 2018, at 9:30 am, Olafur Gudmundsson <ogud at ogud.com> wrote:
> 
> 
>> On Mar 9, 2018, at 3:22 PM, Wessels, Duane <dwessels at verisign.com> wrote:
>> 
>> All,
>> 
>> Very early on the .com and .net zones had an SOA minimum value of 86400.  Probably because "that's the way it always was."
>> 
>> Around 2004 we decreased the time between registry update and publication in the zone.  The SOA TTL and minimum values were changed to 900.  It remained this way until 2010.
>> 
>> In 2010, the .com and .net zones were signed with DNSSEC and the SOA minimum unfortunately regressed to its previous value of 86400, where it remains today.
>> 
>> As far as we're aware, the regression has not caused any significant operational issues and our philosophy has been "if it ain't broke, don't fix it."  That said, we are open to changing it back to 900 if there are good reasons to do so.  If anyone is aware of such reasons or operational problems with the current values, we'd like to hear about it.
>> 
>> DW
>> 
> 
> Right now if a resolver caches an entry for a domain after it is registered but before it is available in the com/net server the query goes to, that resolver is blind to that fact for 24 hours, 
> Please lower this value to something lower 900 would be great 7200 is fine if you lower all TTL’s from com/net/etc…. to that at the same time :-) 
> Internet moves faster today than it did in 1990, 

If the current negative answers (see below) are being cached longer than 900 seconds then the resolver is broken.

Now if the recursive server supports aggressive negative caching, removal of a secure delegation could take 24 hours to be effective as that takes into account the NSEC3 RRSIGs.

If you get the DS wrong for a secure delegation it will take 24 hours to correct it.

Fixing a bad delegation takes 48 hours.

Mark

[rock:~/git/bind9] marka% dig fdgsdgertqwe.com @a.gtld-servers.net +dnssec

; <<>> DiG 9.13.0-dev+hotspot+add-prefetch+marka <<>> fdgsdgertqwe.com @a.gtld-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22450
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fdgsdgertqwe.com.		IN	A

;; AUTHORITY SECTION:
com.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1520808663 1800 900 604800 86400
com.			900	IN	RRSIG	SOA 8 1 900 20180318225103 20180311214103 46967 com. DK1VJET078ZR++ZSfqQtXEuSyQur5/t8f8QiA+kk/DEUzq3sKl1k369M 8hTDX4d5SK5eCVgnG1vmjGsM3hOqKPOYcjTfQuD81tBik+nqY0G0hCwg IJDeZtE9F4TKVBVhIA7EnSJ5JV4fGpDNxddAwNGAg87bPl9I+TwLmP00 6P8=
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180317044526 20180310043526 46967 com. Zcp1U/50Oi2AaX2WwBcCnm0KugLX4M35x5Id2vTBnjVfhQ0c6CEXd4Lt YNvyVcH4TIb1V5YxDN//jgdJ3PnyVw9cSFgpynqkBHR3Yh3KnrXNH9Nj XNiofxPOP0gHtUPIhSwmmqIkXD5tC6Pe+ga8vYA7HKCylJuVUtczh2yc qTQ=
OTTB1V2IDQKODD88L70LK1NTAAQDUPLP.com. 86400 IN NSEC3 1 1 0 - OTTGLCTMAFRK7BICMH87JEIO9SA9N495  NS DS RRSIG
OTTB1V2IDQKODD88L70LK1NTAAQDUPLP.com. 86400 IN RRSIG NSEC3 8 2 86400 20180317041831 20180310040831 46967 com. uWIr4o8kXb2EE3uOTd6xL0XUiiMaCTM+UrB7FhKcqxBfT0s+W62YJgwM XGNezFSixsSLCg3dQBkfEMnwTU4qhply0+3nM5/ZiH33HGBhOX5VGnZU +7pEXvek1w2x+rJOBrePJTg+iVqvJyPvL80MDDGETdd8QZ4E4C28IxVO EaQ=
3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 86400 IN NSEC3 1 1 0 - 3RL3ODP8D910939I655B97GAQU6VE1Q7  NS DS RRSIG
3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 86400 IN RRSIG NSEC3 8 2 86400 20180318042452 20180311041452 46967 com. Zwe2/2hX/LVOdem6QKH8n+vpBFt1Nsvuds/pv3Ofp9sjExbmWUBOzytg nVsTD+ZCDTBuFxTuaOQZUa0/qCMFhoI2HTjO9ljZdcb9q27ERpXldJVn a7E3UNA5bgUk4aQtjQUf1JAm0e5Caa71cH+QfHHqREtS+yP7n+GWpk6h wOE=

;; Query time: 317 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Mon Mar 12 09:51:22 AEDT 2018
;; MSG SIZE  rcvd: 1008

[rock:~/git/bind9] marka% 


> 
> Olafur
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list