unbound NXDOMAIN TTL shared between records

Stephan Lagerholm stlagerh at microsoft.com
Fri Aug 21 15:40:14 UTC 2015 

Hi Patrik,

Yes I can confirm that unbound have a "domain wide" NXD caching. As long as the returned TTL for your second query is lower than the max TTL for the record this (IMHO) is not a violation of RFC2308. However there are domains out there that return a higher TTL for EMPTY NOERROR vs NXDOMAIN and this can trick unbound into cache the value longer than expected. This issue was reported to unbound. 

Using the SOA TTL is expected see RFC 2308 section 3. 
The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer.

For more info watch the video from the DNS OARC workshop in Amsterdam about 39 minutes in https://www.youtube.com/watch?v=UcAygzNSxlI

Thanks, Stephan Lagerholm

> -----Original Message-----
> From: Unbound-users [mailto:unbound-users-bounces at unbound.net] On
> Behalf Of Patrik Lundin via Unbound-users
> Sent: Friday, August 21, 2015 8:15 AM
> To: unbound-users at unbound.net
> Subject: unbound NXDOMAIN TTL shared between records
> 
> Hello,
> 
> I recently noticed what to me is a strange caching behaviour for NXDOMAIN
> results.
> 
> This has been seen both on Ubuntu 14.04 with unbound 1.4.22 and on
> OpenBSD with unbound 1.5.2.
> 
> I noticed that for some domains, the cache TTL for NXDOMAIN results
> seemed to be shared for all nonexistant replies under that domain:
> 
> The first lookup (which also suspiciously seems to use the SOA TTL of 7200
> rather than the NXDOMAIN TTL of 18000):
> ===
> dig
> https://na01.safelinks.protection.outlook.com/?url=nonexistant1.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w6aM
> HZJ%2fsTmXyKW2aCIqsaB2m3t1X3bSrQSR4QEk0os%3d
> 
> ; <<>> DiG 9.4.2-P2 <<>>
> https://na01.safelinks.protection.outlook.com/?url=nonexistant1.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w6aM
> HZJ%2fsTmXyKW2aCIqsaB2m3t1X3bSrQSR4QEk0os%3d
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35933 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nonexistant1.unbound.net.      IN      A
> 
> ;; AUTHORITY SECTION:
> unbound.net.            7200    IN      SOA     ns.nlnetlabs.nl.
> postmaster.unbound.net. 2015081500 28800 7200 604800 18000
> 
> ;; Query time: 474 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Fri Aug 21 16:51:23 2015
> ;; MSG SIZE  rcvd: 104
> ===
> 
> The second lookup for that same name, which as one would expect has a
> decremented TTL:
> ===
> $ dig
> https://na01.safelinks.protection.outlook.com/?url=nonexistant1.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w6aM
> HZJ%2fsTmXyKW2aCIqsaB2m3t1X3bSrQSR4QEk0os%3d
> 
> ; <<>> DiG 9.4.2-P2 <<>>
> https://na01.safelinks.protection.outlook.com/?url=nonexistant1.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w6aM
> HZJ%2fsTmXyKW2aCIqsaB2m3t1X3bSrQSR4QEk0os%3d
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9365 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nonexistant1.unbound.net.      IN      A
> 
> ;; AUTHORITY SECTION:
> unbound.net.            7195    IN      SOA     ns.nlnetlabs.nl.
> postmaster.unbound.net. 2015081500 28800 7200 604800 18000
> 
> ;; Query time: 0 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Fri Aug 21 16:51:28 2015
> ;; MSG SIZE  rcvd: 104
> ===
> 
> Now we look up another nonexistant domain, which I would expect to have
> a TTL of 7200 (18000?), but this one shares the reported TTL with my
> previous lookup:
> ===
> $ dig
> https://na01.safelinks.protection.outlook.com/?url=nonexistant2.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=8pLKV
> 79WhwE6EXBrwFSkm73o6du8mTKzHuNyL4qrbz4%3d
> 
> ; <<>> DiG 9.4.2-P2 <<>>
> https://na01.safelinks.protection.outlook.com/?url=nonexistant2.unbound.
> net&data=01%7c01%7cstlagerh%40microsoft.com%7c4780f7fab8a045710b9
> 908d2aa3b8ac9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=8pLKV
> 79WhwE6EXBrwFSkm73o6du8mTKzHuNyL4qrbz4%3d
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27898 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nonexistant2.unbound.net.      IN      A
> 
> ;; AUTHORITY SECTION:
> unbound.net.            7189    IN      SOA     ns.nlnetlabs.nl.
> postmaster.unbound.net. 2015081500 28800 7200 604800 18000
> 
> ;; Query time: 32 msec
> ;; SERVER: 192.168.1.1#53(192.168.1.1)
> ;; WHEN: Fri Aug 21 16:51:34 2015
> ;; MSG SIZE  rcvd: 104
> ===
> 
> Does anyone else see this? Is it by design? What makes this even more
> confusing to me is that I see different results for different domains. I
> believe I am even seeing different results inside the same domains possibly
> depending on what I have looked up before that.
> 
> --
> Patrik Lundin

More information about the Unbound-users mailing list