<div>I am sort of answering my own question here. I say 'sort of' since I don't think I have </div><div>the complete answer.</div><div><br></div><div>It looks like the TTL of '10800' is actually the maximum value set by BIND, and this is turning out to be more of a Bind implementation question, which I should instead be asking in the Bind forums.</div>
<div><br></div><div>If the TTL on the SOA record on pdns[12].<a href="http://abc.com">abc.com</a> is lowered to '30' from '86400', then</div><div>you see on the non-authorative BIND servers, the response changes from:</div>
<div> </div><div>;; AUTHORITY SECTION:</div><div><a href="http://xyz.abc.com">xyz.abc.com</a>. 10800 IN SOA localhost. <a href="http://admin.abc.com">admin.abc.com</a>. 1 60 3600 604800 3600</div><div><br></div>
<div>to:</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://xyz.abc.com">xyz.abc.com</a>. 30 IN SOA localhost. <a href="http://admin.abc.com">admin.abc.com</a>. 1 60 3600 604800 3600</div>
<div><br></div><div>The question is why is the TTL of the SOA record used for caching negative answers, not</div><div>the SOA minimum field?</div><div><br></div><div>Reading <a href="http://www.dns.net/dnsrd/rfc/rfc2308.html">http://www.dns.net/dnsrd/rfc/rfc2308.html</a>, it says:</div>
<div><br></div><div>"Name servers authoritative for a zone MUST include the SOA record of the zone in the </div><div>authority section of the response when reporting an NXDOMAIN or indicating that no data </div><div>
of the requested type exists. This is required so that the response may be cached. </div><div>The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer."</div>
<div><br></div><div>And that doesn't seem clear to me, as TTL of the negative response is cached from BOTH the minimum field and the TTL of the SOA record? How is that possible? A max or min of those two numbers is taken? </div>
<div><br></div><div>But in Bind, it seems like it's taking the TTL of the SOA. If anyone has an explanation to this, please chime in. thanks.</div><div><br></div><div>AJ</div><div><br></div><br><div class="gmail_quote">
On Mon, Jun 28, 2010 at 7:19 PM, aldus jung <span dir="ltr"><<a href="mailto:aldusj99@gmail.com">aldusj99@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
We are running BIND version 9.7.0 environment with a delegated subdomain that is powered by pdns authoritative servers, and we have been noticing negative caching behavior on the subdomain that's unexpected. This may not be a bug, but rather my lack of understanding of pdns.. so I am hoping that someone on this forum could help in explaining this behavior. (I've changed the actual domain names as they are only used in our internal network.)<div>
<br></div><div>So we have <a href="http://abc.com" target="_blank">abc.com</a> that BIND 9.7.0 is authoritative for. And in named.hosts of (host: <a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a>), we have:</div>
<div><br></div><div>xyz 30 IN NS <a href="http://pdns1.abc.com" target="_blank">pdns1.abc.com</a>.</div>
<div>xyz 30 IN NS <a href="http://pdns2.abc.com" target="_blank">pdns2.abc.com</a>.<br><div><br></div><div><br><div>On <a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a>, if you query for a host that doesn't exist, this is dig's output:</div>
<div>> dig <a href="http://nohost.xyz.abc.com" target="_blank">nohost.xyz.abc.com</a> @<a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a></div><div><div>; <<>> DiG 9.3.5-P1 <<>> <a href="http://nohost.xyz.abc.com" target="_blank">nohost.xyz.abc.com</a> @<a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a></div>
<div>;; global options: printcmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1298</div><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div>
<div><br></div><div>;; QUESTION SECTION:</div><div>;<a href="http://nohost.xyz.abc.com" target="_blank">nohost.xyz.abc.com</a>. IN A</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://xyz.abc.com" target="_blank">xyz.abc.com</a>. 10800 IN SOA localhost. <a href="http://admin.abc.com" target="_blank">admin.abc.com</a>. 1 60 3600 604800 3600</div>
</div><div><br></div><div><div>My question is, where is the '10800' coming from? The SOA record on pdns[12].<a href="http://abc.com" target="_blank">abc.com</a> has TTL of '86400'</div><div>Also, when I check the cache on <a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a>, by doing: rndc -c rndc.conf dumpdb -all, I see:</div>
<div><div><br></div><div><a href="http://nohost.xyz.abc.com" target="_blank">nohost.xyz.abc.com</a>. 10796 \-ANY ;-$NXDOMAIN</div><div>; <a href="http://xyz.abc.com" target="_blank">xyz.abc.com</a>. SOA localhost. <a href="http://admin.abc.com" target="_blank">admin.abc.com</a>. 1 60 3600 604800 3600</div>
<div>; authauthority</div></div><div><br></div><div><br></div><div>Once we actually add '<a href="http://nohost.xyz.abc.com" target="_blank">nohost.xyz.abc.com</a>' A record to the mysql database, it takes significantly longer than 3600 seconds for the A record to resolve on <a href="http://bind1.abc.com" target="_blank">bind1.abc.com</a>.</div>
<div><br></div><div>We are running pdns-2.9.22 with mysql backend on Linux 2.6.18.</div><div><br></div><div>In the 'records' table, the SOA looks like this:</div><div>id, name, domain_id, type, content, ttl, prio, change_date, </div>
<div>1, <a href="http://xyz.abc.com" target="_blank">xyz.abc.com</a>, 1, SOA, localhost <a href="mailto:admin@abc.com" target="_blank">admin@abc.com</a> 1, 86400, NULL, NULL</div><div><br></div><div>In the 'domains' table:</div>
<div>id, master, name, last_check, type, notified_serial, account</div>
<div>1, NULL, <a href="http://xyz.abc.com" target="_blank">xyz.abc.com</a>, NULL, NATIVE, NULL,</div><div><br></div><div>________________________________</div><div>I've also set soa-refresh-default to '60' as it was the only place in the pdns.conf where I saw '10800'. And as you can see from the SOA entry, it correctly shows 60 for the SOA refresh.</div>
<div><br></div><div>If there are additional information that's needed to solve this puzzle, please let me know. thanks for all your help.</div><div><br></div><div>AJ</div><div><br></div><div><br></div><div><br></div>
<div><br></div></div></div></div>
</blockquote></div><br>