Speaker
Mr
Stephan Lagerholm
(Microsoft)
Description
Negative caching is a functionality within DNS that is being described in RFC 2308. Negative caching follows the same basic idea and principles as positive caching. That is that a record, or lack thereof, should be allowed to be cached by a recursive resolver and used for consecutive queries for the same QNAME and QCLASS. Since a negative response does not carry any record that can be used to indicate the TTL, the SOA record should be returned for said response.
The benefit of negative caching is that a zone operator can limit the number of queries for a nonexistent record. For example if IPv6 is not enabled for a host it make sense to negatively cache the lack of AAAA records. The drawback of negative caching is that records that accidentally are removed from DNS takes longer to get back into a working state. This drawback is worsen by the fact that there is no easy way of doing an Internet wide cache flush. As such the zone operator must carefully dial in the Negative cache settings in their zones to achieve desired tradeoff between a long or short negative caching.
Simplified speaking, RFC 2308 clarifies and defines that the Minimum TTL field in the SOA record is the TTL that should be used for negative responses. This field should then be copied to the SOA TTL field by the Authoritative server.
However, in reality, it turns out that there are plenty of issues with how the returned SOA record for negative responses is interpreted by various brands of DNS software. A simple test for a non-existing record (asddas7754dadas.google.com) in the Alexa top 1 ranked google.com generates 3 different results depending on what recursive software is being used:
Windows DNS:
google.com. 300 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300
ISC Bind:
google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300
Unbound (cold start):
google.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300
This paper and presentation will shed some light into how various DNS systems interpret RFC 2308. We will try to answer the question on how long you can expect a negative record to be cached on the internet. The outcome of this talk is that domain owners can make an informative decision on what values to use for negative Caching. Additionally, operators of recursive servers will get some guidance into how to properly configure their negative caching settings on their end.
Summary
Agenda
Background
Results from investigation into how Authoritative servers handle RFC2308
Compliance with RFC 2308 amongst different server brands
Compliance with RFC 2308 amongst Alexa top 1000
Compliance with RFC 2308 amongst TLDs
Results from investigation into how Recursive servers handle RFC2308
Compliance with RFC 2308 amongst different server brands
Open recursive resolver test
Final remarks and questions
Primary author
Mr
Stephan Lagerholm
(Microsoft)
Co-authors
Mr
Jason Hughes
(Microsoft)
Mr
Joe Roselli
(Microsoft)
