On Tue, 11 Jan 2011 18:46:39 +0100, Kalman Feher <kalman.fe...@melbourneit.com.au> said:
> I'm curious whether the domain in question had a DS in the parent zone? No, it didn't. The effect is there even if the parent zone does not support DNSSEC. I stumbled over this while I was checking whether my tools could properly handle turning on DNSSEC for an existing zone, which involves having to wait for cached DNSKEY NODATA to expire from caches before adding the DS. > On 11/01/11 4:52 PM, "Chris Thompson" <c...@cam.ac.uk> wrote: >> On Jan 11 2011, Alexander Gall wrote: >> >>> It appears that NODATA responses for qtype=DNSKEY are not cached if >>> DNSSEC validation is enabled (tested with 9.7.2-P3). What is the >>> rationale behind this? >> >> I confirm the effect (same release). Or rather, the NODATA does get cached, >> as shown by a "!DNSKEY" count in the statistics display, but a new request >> goes back to the authoritative servers again anyway, as shown by the outgoing >> queries count and by the SOA in the authority section of the NODATA response >> having its original value. I'm tending towards calling this a bug :) -- Alex _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
