On Wed, Apr 13, 2011 at 06:04:31PM -0000, John Levine wrote: > Since the TTL on a negative cache entry comes from the TTL on the SOA > returned with the NXDOMAIN, this means that they'll be returning SOAs > with different TTLs on different responses. This strikes me as > something that's not technically illegal, but that people who write > DNS caches didn't anticipate. Is it likely to break anything?
Strictly, the TTL on a negative cache entry comes from the minimum of the TTL of the SOA and the SOA.MINIMUM subfield. So the strategy won't work if the latter is too low. I'll ignore that and just assume you're dealing with it. In principle, a cache will need to be able to cope with the possibility that the TTL will change on a record in between times the cache looked. That's for two reasons: the authoritative server's records could change, or there could be a cache in between. It strikes me that a cache might not actually overwrite its negative cache for a zone if it already has a negative TTL longer than the one it gets in a given answer, on the grounds that having been given the longer TTL before it is permitted to continue using that. So I think you'll probably need to test widely in order to learn whether your strategy will actually work in practice. > Bonus question: with DNSSEC, a cache can use NSEC info to synthesize > NXDOMAIN responses for nearby addresses. Will inconsistent TTLs break > anything then? I think you'd have to ask implementers of such synthesizing caches. But I can't see how. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
