Bug 737 - Is it possible for unbound to set TTL to 24h when receiving DNS response with "no such name"? even the TTL in response was set to 60s by DNS server?
Is it possible for unbound to set TTL to 24h when receiving DNS response with...
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.4.20
x86_64 Linux
: P1 blocker
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-20 17:49 CET by sunshine
Modified: 2016-01-21 12:58 CET (History)
3 users (show)

See Also:


Attachments
unbound configure file, slot6_internal_recursive_local_remote.conf (29.26 KB, text/plain)
2016-01-21 12:42 CET, sunshine
Details
packet to include the request and response with "No such name" (441.08 KB, application/octet-stream)
2016-01-21 12:51 CET, sunshine
Details

Note You need to log in before you can comment on or make changes to this bug.
Description sunshine 2016-01-20 17:49:46 CET
Is it possible for unbound to set TTL to 24h when receiving DNS response with "no such name"? even the TTL in response was set to 60s by DNS server?
Comment 1 Wouter Wijngaards 2016-01-20 18:37:07 CET
Hi Sunshine,

The cache-min-ttl can force higher TTLs.  But it will do it for all TTLs, not just 'no such name' responses.

There is a cache-max-negative-ttl that works specifically for no-such-name responses, but this decreases negative ttls.  (to 3600 seconds by default, perhaps you do not want this default, but it does not solve your problem I think).

Best regards, Wouter
Comment 2 sunshine 2016-01-21 12:42:31 CET
Created attachment 318 [details]
unbound configure file, slot6_internal_recursive_local_remote.conf

This is unbound configure file.
Comment 3 Wouter Wijngaards 2016-01-21 12:45:53 CET
Hi,

Your config file looks fine.

There is no option to make unbound do what you want it to do, at this time.  cache-min-ttl and cache-max-negative-ttl are related options, but do not do what you need.

Best regards, Wouter
Comment 4 sunshine 2016-01-21 12:51:13 CET
Created attachment 319 [details]
packet to include the request and response with "No such name"

packet to include the request and response with "No such name"
Comment 5 sunshine 2016-01-21 12:53:39 CET
Dear unbound support, 

unbound is used in one host with IP as 10.185.249.138. DNS server has the IP of "10.185.245.48".
The configure file is xxxxxx, which has been attached into this query.

packet#1538, there is one SRV DNS query sent out to external DNS server from local host.
packet#1539, the DNS server responds with "No such name". This response has "Authoritative nameservers", which includes TTL as 60.

Unbound forwards this response to our service. In the cache of our service, TTL is 86400.

Question, under this configuration and receives this error response, is it possible for unbound to reset this TTL from 60 to 86400 or other values?

Thanks
Sunshine
Comment 6 Wouter Wijngaards 2016-01-21 12:58:17 CET
Hi Sunshine,

No, Unbound does not do that.  It uses the lowest TTL in the response packet as the TTL for the NXDOMAIN.  If the upstream server has the option to respond with minimal-responses, eg. this option makes it omit the nameservers from these responses.  Then you may get what you want, with unbound getting a response without those nameservers and the TTL (the lowest TTL in the packet) then a larger value.

Unbound does this because it wants to give the full packet to the client.  If one of the data records expires, it cannot give the full packet to the client any more.  The 60s TTL on the nameservers then affects all responses from that nameserver, also positive responses, unless it uses options such as 'minimize-responses' to omit the nameservers unless they are asked for.

Best regards, Wouter