If none of the servers for the whole zone can be contacted, how long will such fact be cached for?
Answer
According to the 1998-03 rfc2308#section-7.1
, if the resolution is not successful, and results in a SERVFAIL
(e.g., from a timeout), then it MAY be cached, but if so, it MUST NOT be cached for longer than 5 minutes.
In practice, it appears that it's often not cached at all, or, if cached, is cached for a purely symbolic amount of time, like a single second.
Prior to BIND 9.9.6-S1 (released in 2014), apparently,
SERVFAIL
was not cached at all.It was introduced with commit
a878301
(2014-09-04).E.g., at the time of this question and in all versions of BIND released prior to 2014, the BIND recursive resolver DID NOT cache
SERVFAIL
, if the above commit and the documentation about the first introduction in 9.9.6-S1 is to be believed.In the latest BIND, the default
servfail-ttl
setting has been set at1s
since 2015 (as of 2016), and has been hardcoded to a ceiling of30s
(in place of the RFC-mandated ceiling of300s
).See commit
90174e6
(2015-10-17).During 2014/2015, the default was
10s
, and the ceiling was300s
, but, as per the quotes below, the higher numbers were found to be unreasonably pessimistic.
Noteworthy references (with respective quotes) include:
https://kb.isc.org/article/AA-01178/ (2014/2016-01-07)
The outcome of caching SERVFAIL responses has included some situations where it was seen to be detrimental to the client experience, particularly when the causes of the SERVFAIL being presented to the client were transient and from a scenario where an immediate retry of the query would be a more appropriate action.
http://cr.yp.to/djbdns/third-party.html (2003-01-11)
The second tactic is to claim that widespread DNS clients will do something Particularly Evil when they are unable to reach all DNS servers. The problem with this argument is that the claim is false. Any such client is clearly buggy, and will be unable to survive in the marketplace: consider what happens if the client's routers briefly go down, or if the client's network is temporarily flooded.
In summary, SERVFAIL
is unlikely to be cached, but even if cached, it'll be at most a double- or even a single-digit number of seconds.
No comments:
Post a Comment