Maintained by: NLnet Labs

Negative cache being ignored.

Havard Eidnes
Tue Oct 17 14:21:39 CEST 2017


> In this example, trying to lookup a CAA record for a domain:
> ...
> # time host -t CAA jhmnet.net 192.168.136.181 
...
> real    0m3.876s 
>
> Run this again, immediately after:
..
> real    0m0.016s
>
> Implying the cache is working as expected. (cache-max-negative-ttl: 120)
> 
> However, after about ~9 seconds, the query goes back to taking
> 3-4 seconds, implying its not. Sure enough a tcpdump on the
> host running unbound shows it trying to access the jhmnet.net
> Auth server(s)
>
> Why is unbound not respecting the 2 (120second) min max-negative-ttl?

The situation with jhmnet.net is that it's completely off the
air, because neither of the two delegated-to name servers serve
the zone, so you have a "double lame delegation".

Negative caching revolves around negative authoritative answers,
and this isn't that -- the resolver simply wasn't able to get any
answer whatsoever.

Regards,

- Håvard