From: Wouter Wijngaards Date: Mon, 6 Apr 2009 14:36:42 +0000 (+0000) Subject: NXDOMAIN TTL considerations. X-Git-Tag: release-1.3.0~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ee3492095a24cf88832a4c88408d1083f19da67;p=thirdparty%2Funbound.git NXDOMAIN TTL considerations. git-svn-id: file:///svn/unbound/trunk@1591 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index de87d18f3..2577d6ff2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -12,6 +12,7 @@ libunbound/python/examples) are not installed. - python invalidate routine respects packed rrset ids and locks. - clock skew checks in unbound, config statements. + - nxdomain ttl considerations in requirements.txt 3 April 2009: Wouter - Fixed a bug that caused messages to be stored in the cache too diff --git a/doc/requirements.txt b/doc/requirements.txt index 81418213d..165527dae 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -243,3 +243,17 @@ o 0x20 backoff. They are sent to a random server, but no one address more than 4 times. It succeeds if one has 0x20 intact, or else all are equal. Otherwise, servfail is returned to the client. + +o NXDOMAIN and SOA serial numbers. + Unbound keeps TTL values for message formats, and thus rcodes, such + as NXDOMAIN. Also it keeps the latest rrsets in the rrset cache. + So it will faithfully negative cache for the exact TTL as originally + specified for an NXDOMAIN message, but send a newer SOA record if + this has been found in the mean time. In point, this could lead to a + negative cached NXDOMAIN reply with a SOA RR where the serial number + indicates a zone version where this domain is not any longer NXDOMAIN. + These situations become consistent once the original TTL expires. + If the domain is DNSSEC signed, by the way, then NSEC records are + updated more carefully. If one of the NSEC records in an NXDOMAIN is + updated from another query, the NXDOMAIN is dropped from the cache, + and queried for again, so that its proof can be checked again.