<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">"<span style="font-family:"Courier New"" lang="EN-US">Whenever a RR is sent in a response to a</span><span style="font-family:"Courier New"" lang="EN-US"> query, the TTL field is set to the maximum of the TTL field from the RR</span><span style="font-family:"Courier New"" lang="EN-US"></span><span style="font-family:"Courier New"" lang="EN-US"> and the MINIMUM field in the appropriate SOA</span>."<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Is it, though? It doesn't appear so:<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br>$ dig @<a href="http://a.gtld-servers.net">a.gtld-servers.net</a> com SOA +noall +ans | tail -1<br>com. 900 IN SOA <a href="http://a.gtld-servers.net">a.gtld-servers.net</a>. <a href="http://nstld.verisign-grs.com">nstld.verisign-grs.com</a>. 1520482920 1800 900 604800 86400<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Perhaps what you mean is that any NXDOMAIN or other negative response contains the maximum from the tuple (SOA MIN/SOA TTL).<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">However, that doesn't appear to be the case:<br><br>dig @<a href="http://a.gtld-servers.net">a.gtld-servers.net</a> <a href="http://this-domain-name-surely-does-not-exist-4u33284732432.com">this-domain-name-surely-does-not-exist-4u33284732432.com</a> SOA +noall +auth | tail -1<br>com. 900 IN SOA <a href="http://a.gtld-servers.net">a.gtld-servers.net</a>. <a href="http://nstld.verisign-grs.com">nstld.verisign-grs.com</a>. 1520483055 1800 900 604800 86400<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">So my question remains: Why would one ever set the SOA's TTL to a value less than SOA MIN? Why do we do so for the largest gTLDs?<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Andrew<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 7, 2018 at 4:54 PM, Mats Dufberg <span dir="ltr"><<a href="mailto:mats.dufberg@iis.se" target="_blank">mats.dufberg@iis.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="SV">
<div class="gmail-m_-618951757600324142WordSection1">
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">RFC 1035 (<a href="https://tools.ietf.org/html/rfc1035" target="_blank">https://tools.ietf.org/html/<wbr>rfc1035</a>) says on page 20<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">Whenever a RR is sent in a response to a<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">query, the TTL field is set to the maximum of the TTL field from the RR<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">and the MINIMUM field in the appropriate SOA.
<span style="background:yellow none repeat scroll 0% 0%">Thus MINIMUM is a lower<u></u><u></u></span></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";background:yellow none repeat scroll 0% 0%" lang="EN-US">bound on the TTL field for all RRs in a zone.</span><span style="font-family:"Courier New"" lang="EN-US">
Note that this use of<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">MINIMUM should occur when the RRs are copied into the response and not<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">when the zone is loaded from a master file or via a zone transfer.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">This means that there could be a value of keeping SOA TTL lower than SOA MINIMUM to make negative caching shorter than normal caching.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">I am not sure, however, that bind has implemented it in this way. I think that it respects whatever TTL that you have set on the RRs in the zone file independent
on the SOA MINIMUM. I cannot find any RFC changing the specification, however.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US">Mats<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-US">---<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-US">Mats Dufberg<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-US">DNS Specialist, IIS<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-US">Mobile: <a href="tel:+46%2073%20065%2038%2099" value="+46730653899" target="_blank">+46 73 065 3899</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"" lang="EN-US"><a href="https://www.iis.se/en/" target="_blank">https://www.iis.se/en/</a><u></u><u></u></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Courier New"" lang="EN-US"><u></u> <u></u></span></p>
<div style="border-color:rgb(181,196,223) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">dns-operations <<a href="mailto:dns-operations-bounces@dns-oarc.net" target="_blank">dns-operations-bounces@dns-<wbr>oarc.net</a>> on behalf of Andrew White <<a href="mailto:andrew@vivalibre.com" target="_blank">andrew@vivalibre.com</a>><br>
<b>Date: </b>Wednesday 7 March 2018 at 20:02<br>
<b>To: </b>"<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>
<b>Subject: </b>[dns-operations] RFC2308, negative answer caching, and the largest gTLDs<u></u><u></u></span></p>
</div><div><div class="gmail-h5">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><a name="m_-618951757600324142__MailOriginalBody"><span style="font-family:"Verdana",sans-serif">Hi all,<u></u><u></u></span></a></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span style="font-family:"Verdana",sans-serif">As we Shirley all often do, I was browsing RFC2308 (
</span></span><a href="https://tools.ietf.org/html/rfc2308" target="_blank"><span><span style="font-family:"Verdana",sans-serif">https://tools.ietf.org/html/<wbr>rfc2308</span></span><span></span></a><span><span style="font-family:"Verdana",sans-serif">
) and noticed that a caching resolver is supposed to cache negative answers for "x" seconds, where x is the lower of these two values: SOA MIN field and SOA TTL.<u></u><u></u></span></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span style="font-family:"Verdana",sans-serif">The excerpt in question (emphasis mine):<u></u><u></u></span></span></p>
<pre><span> Name servers authoritative for a zone MUST include the SOA record of<u></u><u></u></span></pre>
<pre><span> the zone in the authority section of the response when reporting an<u></u><u></u></span></pre>
<pre><span> NXDOMAIN or indicating that no data of the requested type exists.<u></u><u></u></span></pre>
<pre><span> This is required so that the response may be cached. <b><span style="background:rgb(255,229,153) none repeat scroll 0% 0%">The TTL of this<u></u><u></u></span></b></span></pre>
<pre><span><b><span style="background:rgb(255,229,153) none repeat scroll 0% 0%"> record is set from the minimum of the MINIMUM field of the SOA record<u></u><u></u></span></b></span></pre>
<pre><span><b><span style="background:rgb(255,229,153) none repeat scroll 0% 0%"> and the TTL of the SOA itself, and indicates how long a resolver may<u></u><u></u></span></b></span></pre>
<pre><span><b><span style="background:rgb(255,229,153) none repeat scroll 0% 0%"> cache the negative answer</span>.</b> The TTL SIG record associated with the<u></u><u></u></span></pre>
<pre><span> SOA record should also be trimmed in line with the SOA's TTL.<u></u><u></u></span></pre>
<pre><span><u></u> <u></u></span></pre>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span style="font-family:"Verdana",sans-serif">I posit that this implies that a given zone's SOA TTL and SOA MIN should generally be the same.<u></u><u></u></span></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span style="font-family:"Verdana",sans-serif">However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?<u></u><u></u></span></span></p>
</div>
<div>
<p class="MsoNormal"><span><span style="font-family:"Verdana",sans-serif">Andrew<u></u><u></u></span></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span><span style="font-family:"Courier New""><br>
<br>
</span></span><span><span style="font-family:"Verdana",sans-serif"><u></u><u></u></span></span></p>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br></div></div>