If you have 2 recursive servers each talking to each other and falling back to iterative lookups say after 10ms or so or does non-recursive queries of the other server. If both servers cache negative responses w/o SOA records then if the queries come in the right pattern server A will learn the -ve response from server B then before the “cached” response on A has timed out, server B will learn the “cached” response from server A. If the zone is then updated the recursive servers may never go back to it.
No cached data A example.com/A RD=0 -> B referral (best NS RRset) -> A -> iterative query Cached example B has “cached" a NOSOA / NODATA for example.com/A for 10 sec at T=0 At T=5 A example.com/A RD=0 -> B NODATA/N -> A “cached" NOSOA/NODATA for 10 secs At T=11 B example.com/A RD=0 -> A NODATA/N -> B “cached" NOSOA/NODATA for 10 secs Mark > On 1 Sep 2022, at 13:59, Davey Song <[email protected]> wrote: > > Hi folks, > > We found there are Negative responses without SOA records exist in the > Internet. I noticed that RFC2308 suggests not caching Negative responses > without SOA records to avoid a loop. > > So I'm wondering what the loop or circle is. Does it mean the resolver may > cache the Negative response forever by resetting the TTL? I think it is > largely > dependent on how the resolver implements it. Or are there other risks of > looping I may miss? > > In section 5 of RFC2308 it says: > > Negative responses without SOA records SHOULD NOT be cached as there > is no way to prevent the negative responses looping forever between a > pair of servers even with a short TTL. > > Despite the DNS forming a tree of servers, with various mis- > configurations it is possible to form a loop in the query graph, e.g. > two servers listing each other as forwarders, various lame server > configurations. Without a TTL count down a cache negative response > > when received by the next server would have its TTL reset. This > negative indication could then live forever circulating between the > servers involved. > > > Best regards, > Davey -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
