[dns-operations] The loop cased by Negative caching without SOA

Davey Song songlinjian at gmail.com
Thu Sep 1 03:59:39 UTC 2022

Hi folks,

We found there are Negative responses without SOA records exist in the
Internet. I noticed that RFC2308 suggests not caching Negative responses
without SOA records to avoid a loop.

So I'm wondering what the loop or circle is. Does it mean the resolver may
cache the Negative response forever by resetting the TTL? I think it is
dependent on how the resolver implements it. Or are there other risks of
looping I may miss?

In section 5 of RFC2308 it says:

   Negative responses without SOA records SHOULD NOT be cached as there
   is no way to prevent the negative responses looping forever between a
   pair of servers even with a short TTL.

   Despite the DNS forming a tree of servers, with various mis-
   configurations it is possible to form a loop in the query graph, e.g.
   two servers listing each other as forwarders, various lame server
   configurations.  Without a TTL count down a cache negative response

   when received by the next server would have its TTL reset.  This
   negative indication could then live forever circulating between the
   servers involved.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220901/c283f77b/attachment.html>

More information about the dns-operations mailing list