[dns-operations] The loop cased by Negative caching without SOA

Davey Song songlinjian at gmail.com
Fri Sep 2 01:31:04 UTC 2022 

Thanks, Mark.

It looks like two resolvers make a forward-first policy on each other. The
loop of forwarding is the potential cause which is rare. I think it is not
configured by one operator but may produce the forwarding loop by accident
between two operators.

Davey

On Thu, Sep 1, 2022 at 12:53 PM Mark Andrews <marka at isc.org> wrote:

> If you have 2 recursive servers each talking to each other and falling back
> to iterative lookups say after 10ms or so or does non-recursive queries of
> the
> other server.  If both servers cache negative responses w/o SOA records
> then
> if the queries come in the right pattern server A will learn the -ve
> response
> from server B then before the “cached” response on A has timed out, server
> B
> will learn the “cached” response from server A. If the zone is then updated
> the recursive servers may never go back to it.
>
> No cached data
>
> A  example.com/A RD=0 -> B referral (best NS RRset) -> A -> iterative
> query
>
> Cached example
>
> B has “cached" a NOSOA / NODATA for example.com/A for 10 sec at T=0
>
> At T=5
> A example.com/A RD=0 -> B NODATA/N -> A “cached" NOSOA/NODATA for 10 secs
>
> At T=11
> B example.com/A RD=0 -> A NODATA/N -> B “cached" NOSOA/NODATA for 10 secs
>
> Mark
>
> > On 1 Sep 2022, at 13:59, Davey Song <songlinjian at gmail.com> wrote:
> >
> > Hi folks,
> >
> > We found there are Negative responses without SOA records exist in the
> > Internet. I noticed that RFC2308 suggests not caching Negative responses
> > without SOA records to avoid a loop.
> >
> > So I'm wondering what the loop or circle is. Does it mean the resolver
> may
> > cache the Negative response forever by resetting the TTL? I think it is
> largely
> > dependent on how the resolver implements it. Or are there other risks of
> > looping I may miss?
> >
> > In section 5 of RFC2308 it says:
> >
> >    Negative responses without SOA records SHOULD NOT be cached as there
> >    is no way to prevent the negative responses looping forever between a
> >    pair of servers even with a short TTL.
> >
> >    Despite the DNS forming a tree of servers, with various mis-
> >    configurations it is possible to form a loop in the query graph, e.g.
> >    two servers listing each other as forwarders, various lame server
> >    configurations.  Without a TTL count down a cache negative response
> >
> >    when received by the next server would have its TTL reset.  This
> >    negative indication could then live forever circulating between the
> >    servers involved.
> >
> >
> > Best regards,
> > Davey
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220902/28e58fa1/attachment.html>

More information about the dns-operations mailing list