If none of the servers for the whole zone can be contacted, how long will such fact be cached for?
4 Answers
According to the 1998-03 rfc2308#section-7.1
, if the resolution is not successful, and results in a SERVFAIL
(e.g., from a timeout), then it MAY be cached, but if so, it MUST NOT be cached for longer than 5 minutes.
In practice, it appears that it's often not cached at all, or, if cached, is cached for a purely symbolic amount of time, like a single second.
Prior to BIND 9.9.6-S1 (released in 2014), apparently,
SERVFAIL
was not cached at all.It was introduced with commit
a878301
(2014-09-04).E.g., at the time of this question and in all versions of BIND released prior to 2014, the BIND recursive resolver DID NOT cache
SERVFAIL
, if the above commit and the documentation about the first introduction in 9.9.6-S1 is to be believed.In the latest BIND, the default
servfail-ttl
setting has been set at1s
since 2015 (as of 2016), and has been hardcoded to a ceiling of30s
(in place of the RFC-mandated ceiling of300s
).See commit
90174e6
(2015-10-17).During 2014/2015, the default was
10s
, and the ceiling was300s
, but, as per the quotes below, the higher numbers were found to be unreasonably pessimistic.
Noteworthy references (with respective quotes) include:
https://kb.isc.org/article/AA-01178/ (2014/2016-01-07)
The outcome of caching SERVFAIL responses has included some situations where it was seen to be detrimental to the client experience, particularly when the causes of the SERVFAIL being presented to the client were transient and from a scenario where an immediate retry of the query would be a more appropriate action.
http://cr.yp.to/djbdns/third-party.html (2003-01-11)
The second tactic is to claim that widespread DNS clients will do something Particularly Evil when they are unable to reach all DNS servers. The problem with this argument is that the claim is false. Any such client is clearly buggy, and will be unable to survive in the marketplace: consider what happens if the client's routers briefly go down, or if the client's network is temporarily flooded.
In summary, SERVFAIL
is unlikely to be cached, but even if cached, it'll be at most a double- or even a single-digit number of seconds.
-
Given that BIND is still the dominant DNS server deployed globally, I'd say it's a stretch to say that it's "unlikely to be cached". ISTR that SERVFAIL caching was specifically introduced because without it a DNSSEC validation failure could cause a storm of queries. This was reported on by Roy Arends and Geoff Huston but I can't find a reference to it just now. – Alnitak Jan 08 '17 at 23:45
-
@Alnitak, I don't see why it's a stretch: (0), introduced so recently, most people are not running such bleeding edge BIND code (if they did care about latest and greatest, they might as well run another server); (1), long-term, a one-second cache can hardly be described as "cached". – cnst Jan 09 '17 at 16:00
In BIND 9.11, a SERVFAIL
response is cached for 1 second by default.
From the BIND Adminstrator Reference Manual:
servfail-ttl
Sets the number of seconds to cache a SERVFAIL
response due to DNSSEC validation failure or other general server failure. If set to 0, SERVFAIL
caching is disabled. The SERVFAIL
cache is not consulted if a query has the CD
(Checking Disabled) bit set; this allows a query that failed due to DNSSEC validation to be retried without waiting for the SERVFAIL
TTL to expire.
The maximum value is 30 seconds; any higher value will be silently reduced. The default is 1 second.
This is implemented as according to RFC 2308, although in practise the maximum timeouts specified therein were found to be problematic, hence why the current default.
-
thanks for the answer, it's been like only 3 years for this question to exist, and lots of misconstrued answers that have since been heavily downvoted and deleted back 3 years ago! – cnst Jan 06 '17 at 23:41
-
heh, apparently, 3 years ago the whole thing didn't even exist — http://serverfault.com/a/824873/110020 – cnst Jan 08 '17 at 01:41
According to http://cr.yp.to/djbdns/third-party.html
RFC 2182 claims that DNS failures are not cached; that claim is false.
- 12,948
- 7
- 51
- 75
The timeout won't be cached. It has no TTL yet.
- 4,215
- 24
- 15
-
WTF downvoted this? I'm accepting it, because it seems like the most correct answer so far. – cnst Jan 06 '17 at 19:10
-
BTW, you were absolutely right! See http://serverfault.com/a/824875/110020! – cnst Jan 08 '17 at 01:43