[Unbound-users] TTL for Negative Responses

Paul Taylor PaulTaylor at winn-dixie.com
Thu Feb 9 16:52:59 UTC 2012

I did a bit more testing and found that the time the data is cached for does appear to coincide with the TTL for the domain, though this is likely to be really coinciding with the Minimum TTL, as it is the same value.

Here's the SOA record for one of our AD Domains:

Answer section:
SOA-record for redacted.com:
    Primary DNS server = redacted
    Responsible person = redacted
    Serial number = 270261
    Refresh interval = 86400
    Retry interval = 600
    Expire interval = 432000
    Default / minimum TTL = 14400
    TTL = 14400 (4 hours)

According to the RFC, the minimum TTL is actually used for two different purposes:  1. As a Default TTL value and 2. As the TTL for negative responses. 

This may cause an issue when we add new records, in that the people who handle DNS administration would need to specify a different TTL value (assuming this value acts as the default).   

If at all possible, I'd like to control this on the DNS server itself instead of relying on the remote DNS server to be configured with reasonable values. 

-----Original Message-----
From: Ondřej Surý [mailto:ondrej at sury.org] 
Sent: Tuesday, January 31, 2012 10:27 AM
To: Paul Taylor
Cc: unbound-users at unbound.net
Subject: Re: [Unbound-users] TTL for Negative Responses

Setting MINIMUM value in SOA doesn't help? (RFC 2308)

On Mon, Jan 30, 2012 at 21:26, Paul Taylor <PaulTaylor at winn-dixie.com> wrote:
> Another DNS product I’ve looked at has two options relative to max cache
> time…  A time for Positive responses, and a different time for Negative
> responses.
> We are looking for this because on our local domain, sometimes servers
> unregister in Active Directory DNS upon reboot.  This just happened today
> with one of our servers.  After the reboot, it was no longer in DNS.  Since
> Unbound forwards our local domains to our AD DNS servers, it didn’t give us
> a response for this DNS name.  I manually ran ipconfig /registerdns on the
> server once we determined what had happened and within a few minutes, it was
> resolving again in AD, but some 10 minutes later it was still returning no
> address when we queried our test Unbound server.  Finally, I recycled
> Unbound, and then queried it for this name, and it returned the expected
> IP.
> I’m not 100% sure what happened, but it looks like Unbound queried the AD
> DNS servers and cached a negative response for this hostname.  It looks like
> Unbound then kept this cached information until I restarted Unbound.
> Ideally, we’d like to have a “negative cache ttl” set to 60 or 120 seconds,
>  so when a host unregisters itself, then re-registers, Unbound would pick up
> on the re-registration fairly quickly, instead of caching the negative
> response…  (Assuming this is what happened above)
> Am I requesting a new feature?  Or is there an existing setting that does
> this that I’ve overlooked?
> Thanks,
> Paul
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Ondřej Surý <ondrej at sury.org>

More information about the Unbound-users mailing list