Maintained by: NLnet Labs

[Unbound-users] Inconsistent TTL in (nxdomain) responses,

W.C.A. Wijngaards
Mon Mar 7 09:13:26 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

On 03/06/2011 11:13 PM, Slingerland, Michael van wrote:
> Hi,
>  
> I configured a stub-zone for testing a new zone that solely responds
> nxdomain with a min ttl of 1 week on all PTR's
> Assumption is that unbound would limit the TTL to the value configured
> in unbound.conf that equals 1 day by default.
>  
> cache-max-ttl: 86400

Yes that works.  This TTL is used internally, the client sees the
original large TTL value.

> I noticed that unbound responds with either the TTL configured in the
> zone or the cache-max-ttl. The inconsistency in ttl in the answers seem
> to be sort of random to me.

You did not configure your 1week TTL properly.  Just dig @ns1.info.nl
and you see that for NXDOMAIN you get 24hr TTL.


> # dig @localhost -x 95.98.40.50  
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost -x 95.98.40.50
> ; (3 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40349
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;50.40.98.95.in-addr.arpa.      IN      PTR
>  
> ;; AUTHORITY SECTION:
> 98.95.in-addr.arpa.     604800  IN      SOA     ns1.info.nl.
> postmaster.info.nl. 2010067876 3600 900 1209600 604800
>  
> ;; Query time: 531 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Mar  6 22:17:15 2011
> ;; MSG SIZE  rcvd: 100
>  
> # dig @localhost -x 95.98.40.50
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost -x 95.98.40.50
> ; (3 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62410
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;50.40.98.95.in-addr.arpa.      IN      PTR
>  
> ;; AUTHORITY SECTION:
> 98.95.in-addr.arpa.     604798  IN      SOA     ns1.info.nl.
> postmaster.info.nl. 2010067876 3600 900 1209600 604800
>  
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Mar  6 22:17:17 2011
> ;; MSG SIZE  rcvd: 100
>  
> # dig @localhost -x 95.98.40.51  
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost -x 95.98.40.51
> ; (3 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17167
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;51.40.98.95.in-addr.arpa.      IN      PTR
>  
> ;; AUTHORITY SECTION:
> 98.95.in-addr.arpa.     86400   IN      SOA     ns1.info.nl.
> postmaster.info.nl. 2010067876 3600 900 1209600 86400
>  
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Mar  6 22:17:21 2011
> ;; MSG SIZE  rcvd: 100

Notice here the SOA with 2010067876 3600 900 1209600 86400
is different from the SOA 2010067876 3600 900 1209600 604800
above.  Your authority server is giving the different responses.
(are your ns1, ns2, ns3 properly in sync?  Incremented SOA serial?)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk10k6UACgkQkDLqNwOhpPg3OACffCeQT7O51/CbY8S4mLUceUVZ
zM4An2uiZkDqBBdIfEF9GiSlUJwAtUcW
=UbuT
-----END PGP SIGNATURE-----