Bug 103 - NXDOMAIN SOA TTL
NXDOMAIN SOA TTL
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
2.3.x
All All
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-26 09:15 CEST by Jakob Schlyter
Modified: 2005-09-28 14:31 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakob Schlyter 2005-09-26 09:15:12 CEST
'dig @a.ns.se nonexistingdomain.se ns' gives SOA TTL=7200 (eq SOA min).
'dig @f.ns.se  nonexistingdomain.se ns' gives SOA TTL=172800 (eq SOA self TTL). 

a runs BIND, f NSD.

shouldn't NSD trim the NXDOMAIN SOA TTL to SOA min? (RFC 2308 section 3).
Comment 1 Miek Gieben 2005-09-26 10:02:08 CEST
I think your right and this should be changed
Comment 2 Miek Gieben 2005-09-26 10:25:58 CEST
for completeness here is section 3 of 2308:
(it must be the minimum of (SOAs TTL, SOAs MINIMUM field)

I think that NODATA responses have the same problem.

3 - Negative Answers from Authoritative Servers

   Name servers authoritative for a zone MUST include the SOA record of
   the zone in the authority section of the response when reporting an
   NXDOMAIN or indicating that no data of the requested type exists.
   This is required so that the response may be cached.  The TTL of this
   record is set from the minimum of the MINIMUM field of the SOA record
   and the TTL of the SOA itself, and indicates how long a resolver may
   cache the negative answer.  The TTL SIG record associated with the
   SOA record should also be trimmed in line with the SOA's TTL.

   If the containing zone is signed [RFC 2065] the SOA and appropriate
   NXT and SIG records MUST be added.
Comment 3 Miek Gieben 2005-09-27 12:59:02 CEST
There are 3 issues at work here:

1.NSD should also set a zero TTL on SOA queries (RFC 1035), compare
dig @a.ns.se nonexistingdomain.se soa  
dig @f.ns.se nonexistingdomain.se soa

2. NSD NODATA responses should also trim the SOAs TTL

3. NSD NXDOMAIN responses should also trim the SOAs TTL.

From the looks of it, this is a fairly longstanding bug in NSD and fixing
it will take some time. If you need to do something about this, you 
should lower the TTL on the SOA record.
Comment 4 Jakob Schlyter 2005-09-27 14:35:39 CEST
(In reply to comment #3)
> There are 3 issues at work here:
> 
> 1.NSD should also set a zero TTL on SOA queries (RFC 1035), compare
> dig @a.ns.se nonexistingdomain.se soa  
> dig @f.ns.se nonexistingdomain.se soa

I'm not sure about that - it could also hurt more than do good, since nsd doesn't do dynamic update.
Comment 5 Miek Gieben 2005-09-27 14:38:15 CEST
This has nothing to do with dyn. updates, but everything with caching. See 1035.
Comment 6 Miek Gieben 2005-09-28 14:31:02 CEST
Bug #103 fixed.

Added an extra soa member to the zone struct, which holds
a copy of the soa with a tweaked TTL.

in query.c this soa_nx is returned instead of the actual
soa. For normal soa queries the untweaked soa is given
back.

The TTL=0 stuff seems to be something from BIND.