[dns-operations] The loop cased by Negative caching without SOA
Mark Andrews
marka at isc.org
Thu Sep 1 04:53:21 UTC 2022
If you have 2 recursive servers each talking to each other and falling back
to iterative lookups say after 10ms or so or does non-recursive queries of the
other server. If both servers cache negative responses w/o SOA records then
if the queries come in the right pattern server A will learn the -ve response
from server B then before the “cached” response on A has timed out, server B
will learn the “cached” response from server A. If the zone is then updated
the recursive servers may never go back to it.
No cached data
A example.com/A RD=0 -> B referral (best NS RRset) -> A -> iterative query
Cached example
B has “cached" a NOSOA / NODATA for example.com/A for 10 sec at T=0
At T=5
A example.com/A RD=0 -> B NODATA/N -> A “cached" NOSOA/NODATA for 10 secs
At T=11
B example.com/A RD=0 -> A NODATA/N -> B “cached" NOSOA/NODATA for 10 secs
Mark
> On 1 Sep 2022, at 13:59, Davey Song <songlinjian at gmail.com> wrote:
>
> Hi folks,
>
> We found there are Negative responses without SOA records exist in the
> Internet. I noticed that RFC2308 suggests not caching Negative responses
> without SOA records to avoid a loop.
>
> So I'm wondering what the loop or circle is. Does it mean the resolver may
> cache the Negative response forever by resetting the TTL? I think it is largely
> dependent on how the resolver implements it. Or are there other risks of
> looping I may miss?
>
> In section 5 of RFC2308 it says:
>
> Negative responses without SOA records SHOULD NOT be cached as there
> is no way to prevent the negative responses looping forever between a
> pair of servers even with a short TTL.
>
> Despite the DNS forming a tree of servers, with various mis-
> configurations it is possible to form a loop in the query graph, e.g.
> two servers listing each other as forwarders, various lame server
> configurations. Without a TTL count down a cache negative response
>
> when received by the next server would have its TTL reset. This
> negative indication could then live forever circulating between the
> servers involved.
>
>
> Best regards,
> Davey
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list