Hello Karl On Thu, 26 Aug 2010 23:17:29 +1000, Karl Auer <ka...@biplane.com.au> said:
> Some time ago (at least six years) I wrote a program that, among many > other related operations, creates new zones for a nameserver. This > program creates new zones that have a TTL value of zero for the SOA > record. > That's what RFC1035 seems to say it should do. When describing TTLs, it > says "For example, SOA records are always distributed with a zero TTL to > prohibit caching." RFC 2181 section 7.2 clarifies that this advice should be ignored. > That isn't very prescriptive, now that I think about it. It doesn't say > that it should or must happen - just that it happens. But it does make > sense to me, now as then - why would anyone want to cache an SOA? > There's a sort-of-related BIND config item, "zero-no-soa-ttl", the > description of which states: > "When returning authoritative negative responses to SOA queries set > the TTL of the SOA record returned in the authority section to > zero. The default is yes." > That's only for negative responses, and only for SOA queries. Still, it > does seem to suggest that other people think there's generally no need > to cache SOA records, and especially not negatively. > Anyway, I just received an email from someone who runs a secondary for > us saying that he was getting a constant 50 qps for a non-existent RR. > He says that if our SOA had a non-zero TTL, it would get cached and the > problem would move downstream and that would be nice. He *also* says > that the SOA TTL acts as an upper bound for the negative caching TTL. [I'm that guy :] > I don't think he is right on either count. The querying nameserver gets > an SOA record returned, and in that record is the negative caching TTL > it should use. That is, it may not cache the SOA, but it isn't *looking* > for the SOA. It's getting one as a side effect of looking up something > that doesn't exist. The TTL of the SOA is not having any effect here. RFC 2308, section 3 The TTL of this [SOA record in authority section of negative response] record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer. > That said, a non-zero SOA TTL certainly seems to be common, perhaps the > norm. I don't think so. This was an issue for the org zone as well (with further implications for DNSKEY records), see <https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/thread.html#4018> > So to my questions: > - have I got totally and completely the wrong end of the stick here? My reading of the specs would suggest that. > - should I update my program to allow non-zero SOA TTLs? Yes, unless I'm the one with the wrong end of the stick :) -- Alex _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
