[Unbound-users] Unbound doesn't cache ANY query result from some DNSSEC-signed zone

Daisuke HIGASHI daisuke.higashi at gmail.com
Fri Jun 28 17:10:38 UTC 2013


2013/6/10 W.C.A. Wijngaards <wouter at nlnetlabs.nl>:

> cache-min-ttl could perhaps change unbound's behaviour here.

  Thank you for your suggestion and I confirmed
that "cache-min-ttl: <small number>" leads Unbound to cache
such ANY-query results.

2013/6/10 Peter Koch <pk at denic.de>:
> I am not convinced that implementing ANY as 'all', encouraging
> false expectations, is really the right thing to do.
> Additionally, in the context of recent events - even if unbound
> would only rarely be run as open recursive - it 'helps' authoritative
> servers to see more queries.

  At nameserver-side, giving non-zero TTL for NSEC3PARAM records
might be an workaround against this issue.
Unfortunately OpenDNSSEC decided to set zero-TTL
to NSEC3PARAM of signing zones [1].

[1] https://issues.opendnssec.org/browse/OPENDNSSEC-330

 Daisuke HIGASHI <daisuke.higashi at gmail.com>

More information about the Unbound-users mailing list