Maintained by: NLnet Labs

[Unbound-users] Strange TTL of the SOA record for a noexist domain query

Likun Zhang
Tue May 10 03:37:14 CEST 2011


Hi Wouter, 

On Monday, May 09, 2011 8:52 PM, Wouter wrote:

> 
> Hi Likun,> 
> >
> > According section 5 in RFC2308, it should be a bug of unbound, especially when
> the TTL and minimal of soa are different.
> 
> Yes, there seems to be a bug.  Unbound picks up the SOA from the
> positive answer, with its longer TTL, and uses that to answer the
> negative answer as well, mixing the positive-answer-SOA with the
> negative-answer-SOA and getting the TTL wrong.
> 
> The negative answer does not get a longer cache time because of this.
> That time is administered on its own, for the NXDOMAIN.
> 
> The TTL reported to downstream requestors, is then not correct.  I am
> not sure how to fix this, as unbound puts information in the RRset and
> in the message cache.

I did some quick look at the message and rrset cache, a possible solution for it maybe:  add a secondary rrset cache for one message cache, that rrset cache only store the soa record got from the negative response, so the soa rrset pointer in message cache can point to normal rrset cache or the secondary rrset cache.

I don't think it's perfect, but maybe it will lower the change to code.

Thanks
Likun