[Unbound-users] Unbound doesn't cache ANY query result from some DNSSEC-signed zone
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Jul 24 07:49:32 UTC 2013
On 06/28/2013 07:10 PM, Daisuke HIGASHI wrote:
> Hi,
>
> 2013/6/10 W.C.A. Wijngaards <wouter at nlnetlabs.nl>:
>
>> cache-min-ttl could perhaps change unbound's behaviour here.
>
> Thank you for your suggestion and I confirmed
> that "cache-min-ttl: <small number>" leads Unbound to cache
> such ANY-query results.
>
> 2013/6/10 Peter Koch <pk at denic.de>:
>> I am not convinced that implementing ANY as 'all', encouraging
>> false expectations, is really the right thing to do.
>> Additionally, in the context of recent events - even if unbound
>> would only rarely be run as open recursive - it 'helps' authoritative
>> servers to see more queries.
>
> At nameserver-side, giving non-zero TTL for NSEC3PARAM records
> might be an workaround against this issue.
> Unfortunately OpenDNSSEC decided to set zero-TTL
> to NSEC3PARAM of signing zones [1].
>
> [1] https://issues.opendnssec.org/browse/OPENDNSSEC-330
FYI: We are going back to default TTL in the upcoming patch versions for
OpenDNSSEC 1.3 and 1.4
Best regards,
Matthijs
>
> Regards,
> --
> Daisuke HIGASHI <daisuke.higashi at gmail.com>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
More information about the Unbound-users
mailing list