[dns-operations] The loop cased by Negative caching without SOA
Davey Song
songlinjian at gmail.com
Thu Sep 1 03:59:39 UTC 2022
Hi folks,
We found there are Negative responses without SOA records exist in the
Internet. I noticed that RFC2308 suggests not caching Negative responses
without SOA records to avoid a loop.
So I'm wondering what the loop or circle is. Does it mean the resolver may
cache the Negative response forever by resetting the TTL? I think it is
largely
dependent on how the resolver implements it. Or are there other risks of
looping I may miss?
In section 5 of RFC2308 it says:
Negative responses without SOA records SHOULD NOT be cached as there
is no way to prevent the negative responses looping forever between a
pair of servers even with a short TTL.
Despite the DNS forming a tree of servers, with various mis-
configurations it is possible to form a loop in the query graph, e.g.
two servers listing each other as forwarders, various lame server
configurations. Without a TTL count down a cache negative response
when received by the next server would have its TTL reset. This
negative indication could then live forever circulating between the
servers involved.
Best regards,
Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220901/c283f77b/attachment.html>
More information about the dns-operations
mailing list