[dns-operations] RFC2308, negative answer caching, and the largest gTLDs

Tim Wicinski tjw.ietf at gmail.com
Sat Mar 31 13:28:34 UTC 2018



>From my high tech gadget

> On Mar 31, 2018, at 07:39, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> 
> Hello,
> 
> On 13 Mar 2018, at 22:24, Andrew White wrote:
> 
>   A resolver that supports aggressive use of NSEC and NSEC3 SHOULD
>   reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM
>   field in the authority section of a negative response, if SOA.MINIMUM
>   is smaller.
> 
> Working through these rules with a negative reply from .com, the TTL on the NSEC3 stays 86400. I expect the authors assumed that SOA MIN would never be greater than SOA TTL, perhaps.
> 
> In other words, where before 8198 an NXDOMAIN would deny that single name for 900 seconds, with 8198, that name and a large group that hash ‘close to it’ will be denied for 86400 seconds. This is a serious change in resolver-understood intent of the numbers typed in by the zone operator.
> 
> We could update these RFCs but it would take a long time for implementations to follow along.
> 
> I think the conclusion here should be that (Duane, are you reading along?) yes, the SOA MIN field should be set identical to the SOA TTL to avoid these bad interactions between 2308, 4034 and 8198. It will also avoid some confusion in the large group of people that haven’t read up on DNS since before 2308.
> 

These are the same set of people I work with who continue to tell me that DNS UDP packets can not be larger than 512 bytes. 

Sigh

Tim



> Kind regards,
> -- 
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-l




More information about the dns-operations mailing list