Bugzilla – Bug 103
NXDOMAIN SOA TTL
Last modified: 2005-09-28 14:31:02 CEST
'dig @a.ns.se nonexistingdomain.se ns' gives SOA TTL=7200 (eq SOA min).
'dig @f.ns.se nonexistingdomain.se ns' gives SOA TTL=172800 (eq SOA self TTL).
a runs BIND, f NSD.
shouldn't NSD trim the NXDOMAIN SOA TTL to SOA min? (RFC 2308 section 3).
I think your right and this should be changed
for completeness here is section 3 of 2308:
(it must be the minimum of (SOAs TTL, SOAs MINIMUM field)
I think that NODATA responses have the same problem.
3 - Negative Answers from Authoritative Servers
Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists.
This is required so that the response may be cached. The TTL of this
record is set from the minimum of the MINIMUM field of the SOA record
and the TTL of the SOA itself, and indicates how long a resolver may
cache the negative answer. The TTL SIG record associated with the
SOA record should also be trimmed in line with the SOA's TTL.
If the containing zone is signed [RFC 2065] the SOA and appropriate
NXT and SIG records MUST be added.
There are 3 issues at work here:
1.NSD should also set a zero TTL on SOA queries (RFC 1035), compare
dig @a.ns.se nonexistingdomain.se soa
dig @f.ns.se nonexistingdomain.se soa
2. NSD NODATA responses should also trim the SOAs TTL
3. NSD NXDOMAIN responses should also trim the SOAs TTL.
From the looks of it, this is a fairly longstanding bug in NSD and fixing
it will take some time. If you need to do something about this, you
should lower the TTL on the SOA record.
(In reply to comment #3)
> There are 3 issues at work here:
> 1.NSD should also set a zero TTL on SOA queries (RFC 1035), compare
> dig @a.ns.se nonexistingdomain.se soa
> dig @f.ns.se nonexistingdomain.se soa
I'm not sure about that - it could also hurt more than do good, since nsd doesn't do dynamic update.
This has nothing to do with dyn. updates, but everything with caching. See 1035.
Bug #103 fixed.
Added an extra soa member to the zone struct, which holds
a copy of the soa with a tweaked TTL.
in query.c this soa_nx is returned instead of the actual
soa. For normal soa queries the untweaked soa is given
The TTL=0 stuff seems to be something from BIND.