On Monday, 8 July 2019 16:42:39 UTC Michael J. Sheldon wrote: > ... > > If a record is requested from an authoritative server, where the zone does > not exist, generally the response is REFUSED, but *this is not cached* by > the requesting server. This results in a nearly continuous stream of > retries, which continue to result in the same response. Our authoritative > servers see no less than 15%, and sometimes as much as 25% of our worldwide > traffic as these non-authoritative responses. > > There needs to be a means to signal to a recursive server that it should not > requery a REFUSED response for a specified period of time. Given that these > responses to not have ANSWER records to put a TTL on, return a (new) EDNS > record?
i've always sent back SERVFAIL when the zone isn't loaded, on either a primary or secondary (authoritative, that is) server. and i cache SERVFAIL on the recursive/iterative side with a holddown timer equal to the negative TTL interval (SOA.MINIMUM). but i didn't realize that the standard doesn't say to do this, until i read the above. -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
