<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">BIND, at least, appears to cache NXDOMAIN responses from .com gTLD for 900s, the SOA TTL, rather than 86400, the SOA MIN. (Hint: dig +norec allows cache peeking in BIND)<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Is the assertion accurate that the SOA MIN is a noop if SOA TTL <= SOA MIN then? It would seem so for BIND. Do other caching resolvers handle negative cache TTLs differently?<br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 8, 2018 at 5:59 AM, James Stevens <span dir="ltr"><<a href="mailto:James.Stevens@jrcs.co.uk" target="_blank">James.Stevens@jrcs.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">RFC2308/3 defines the negative-cache TTL as the TTL on the SOA record sent in a negative-response - i.e. the less of SOA/TTL and SOA/MIN<br>
<br>
2308/3 : "indicates how long a resolver may cache the negative answer"<br>
<br>
<br>
<br>
Where as RFC2308/4 defines the negative-cache TTL as SOA/MIN<br>
<br>
2308/4 : "the TTL to be used for negative responses, is the new defined meaning of the SOA minimum field"<br>
<br>
<br>
<br>
Where SOA/TTL is less than SOA/MIN this seems to create a conflict as to how long to cache negative-responses.<span class=""><br>
<br>
<br>
<br>
<br>
<br>
<br>
On 07/03/18 23:26, Andrew White wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi all,<br>
<br>
As we Shirley all often do, I was browsing RFC2308 ( <a href="https://tools.ietf.org/html/rfc2308" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rf<wbr>c2308</a> ) and noticed that a caching resolver is supposed to cache negative answers for "x" seconds, where x is the lower of these two values: SOA MIN field and SOA TTL.<br>
<br>
The excerpt in question (emphasis mine):<br>
<br>
Name servers authoritative for a zone MUST include the SOA record of<br>
the zone in the authority section of the response when reporting an<br>
NXDOMAIN or indicating that no data of the requested type exists.<br></span>
This is required so that the response may be cached.*The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer.* The TTL SIG record associated with the<span class=""><br>
SOA record should also be trimmed in line with the SOA's TTL.<br>
<br>
I posit that this implies that a given zone's SOA TTL and SOA MIN should generally be the same.<br>
<br>
However, com/net/org have 900 for SOA TTL and 86400 for SOA MIN. Why?<br>
<br>
Andrew<br>
<br>
<br>
<br>
<br>
<br></span>
______________________________<wbr>_________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.<wbr>net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mai<wbr>lman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mai<wbr>lman/listinfo/dns-operations</a><br>
<br>
</blockquote>
</blockquote></div><br></div>