Maintained by: NLnet Labs

unbound NXDOMAIN TTL shared between records

Patrik Lundin
Fri Aug 21 17:14:55 CEST 2015


Hello,

I recently noticed what to me is a strange caching behaviour for
NXDOMAIN results.

This has been seen both on Ubuntu 14.04 with unbound 1.4.22 and on
OpenBSD with unbound 1.5.2.

I noticed that for some domains, the cache TTL for NXDOMAIN results
seemed to be shared for all nonexistant replies under that domain:

The first lookup (which also suspiciously seems to use the SOA TTL of 7200
rather than the NXDOMAIN TTL of 18000):
===
dig nonexistant1.unbound.net      

; <<>> DiG 9.4.2-P2 <<>> nonexistant1.unbound.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35933
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nonexistant1.unbound.net.      IN      A

;; AUTHORITY SECTION:
unbound.net.            7200    IN      SOA     ns.nlnetlabs.nl. postmaster.unbound.net. 2015081500 28800 7200 604800 18000

;; Query time: 474 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Aug 21 16:51:23 2015
;; MSG SIZE  rcvd: 104
===

The second lookup for that same name, which as one would expect has a
decremented TTL:
===
$ dig nonexistant1.unbound.net 

; <<>> DiG 9.4.2-P2 <<>> nonexistant1.unbound.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9365
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nonexistant1.unbound.net.      IN      A

;; AUTHORITY SECTION:
unbound.net.            7195    IN      SOA     ns.nlnetlabs.nl. postmaster.unbound.net. 2015081500 28800 7200 604800 18000

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Aug 21 16:51:28 2015
;; MSG SIZE  rcvd: 104
===

Now we look up another nonexistant domain, which I would expect to have a TTL
of 7200 (18000?), but this one shares the reported TTL with my previous lookup:
===
$ dig nonexistant2.unbound.net 

; <<>> DiG 9.4.2-P2 <<>> nonexistant2.unbound.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27898
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nonexistant2.unbound.net.      IN      A

;; AUTHORITY SECTION:
unbound.net.            7189    IN      SOA     ns.nlnetlabs.nl. postmaster.unbound.net. 2015081500 28800 7200 604800 18000

;; Query time: 32 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Aug 21 16:51:34 2015
;; MSG SIZE  rcvd: 104
===

Does anyone else see this? Is it by design? What makes this even more confusing
to me is that I see different results for different domains. I believe I am
even seeing different results inside the same domains possibly depending on
what I have looked up before that.

-- 
Patrik Lundin