Thanks, Mark. It looks like two resolvers make a forward-first policy on each other. The loop of forwarding is the potential cause which is rare. I think it is not configured by one operator but may produce the forwarding loop by accident between two operators.
Davey On Thu, Sep 1, 2022 at 12:53 PM Mark Andrews <ma...@isc.org> wrote: > If you have 2 recursive servers each talking to each other and falling back > to iterative lookups say after 10ms or so or does non-recursive queries of > the > other server. If both servers cache negative responses w/o SOA records > then > if the queries come in the right pattern server A will learn the -ve > response > from server B then before the “cached” response on A has timed out, server > B > will learn the “cached” response from server A. If the zone is then updated > the recursive servers may never go back to it. > > No cached data > > A example.com/A RD=0 -> B referral (best NS RRset) -> A -> iterative > query > > Cached example > > B has “cached" a NOSOA / NODATA for example.com/A for 10 sec at T=0 > > At T=5 > A example.com/A RD=0 -> B NODATA/N -> A “cached" NOSOA/NODATA for 10 secs > > At T=11 > B example.com/A RD=0 -> A NODATA/N -> B “cached" NOSOA/NODATA for 10 secs > > Mark > > > On 1 Sep 2022, at 13:59, Davey Song <songlinj...@gmail.com> wrote: > > > > Hi folks, > > > > We found there are Negative responses without SOA records exist in the > > Internet. I noticed that RFC2308 suggests not caching Negative responses > > without SOA records to avoid a loop. > > > > So I'm wondering what the loop or circle is. Does it mean the resolver > may > > cache the Negative response forever by resetting the TTL? I think it is > largely > > dependent on how the resolver implements it. Or are there other risks of > > looping I may miss? > > > > In section 5 of RFC2308 it says: > > > > Negative responses without SOA records SHOULD NOT be cached as there > > is no way to prevent the negative responses looping forever between a > > pair of servers even with a short TTL. > > > > Despite the DNS forming a tree of servers, with various mis- > > configurations it is possible to form a loop in the query graph, e.g. > > two servers listing each other as forwarders, various lame server > > configurations. Without a TTL count down a cache negative response > > > > when received by the next server would have its TTL reset. This > > negative indication could then live forever circulating between the > > servers involved. > > > > > > Best regards, > > Davey > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
