unbound NXDOMAIN TTL shared between records

Patrik Lundin patrik at sigterm.se
Fri Aug 21 18:16:03 UTC 2015

On Fri, Aug 21, 2015 at 03:40:14PM +0000, Stephan Lagerholm wrote:
> Yes I can confirm that unbound have a "domain wide" NXD caching. As
> long as the returned TTL for your second query is lower than the max
> TTL for the record this (IMHO) is not a violation of RFC2308.

Interesting... Is it documented somewhere where why it is done this way?
I was actually worried that it could be a symptom of getting close to
my configured msg-cache-size or something like that.

> However
> there are domains out there that return a higher TTL for EMPTY NOERROR
> vs NXDOMAIN and this can trick unbound into cache the value longer
> than expected. This issue was reported to unbound. 
> For more info watch the video from the DNS OARC workshop in Amsterdam
> about 39 minutes in https://www.youtube.com/watch?v=UcAygzNSxlI

Thanks a lot for pointing out your presentation. I just looked through
it and it was very informative.

I had specifically scratched my head looking at nonexistant1.google.com
returning a TTL of 600 to my client which matched neither the 86400 SOA
TTL or the 300 minimum TTL.

It was interesting to hear that the 600 came from the NXDOMAIN response
for the equivalent AAAA lookup of nonexistant1.google.com.

Patrik Lundin

More information about the Unbound-users mailing list