Negative cachetime

Hello,

we run in an issue with cached negative answers and need clarification.

at t=0 a client ask unbound for test.example.org.
unbound does not know anything about the domain and ask the nameserver ns1.example.org.
the answer is NXDOMAIN.

at t=1, some seconds later, the nameserver is reconfigured and now test.example.org exist.

at t=3 the same or an other client ask unbound again for test.example.org.
the answer is still NXDOMAIN. t=3 is more then 14 hours later.

How long I have to wait until unbound forget the NXDOMAIN
and fetch new data from authoritative server? Could that be controlled somehow?

The SOA-Reord for example.org looks like this:
example.org. 12967 IN SOA example.org. hostmaster.example.org. 1501261358 43200 7200 2419200 86400

There was a similar question a year ago about min and max negative ttl without results.
http://unbound.net/pipermail/unbound-users/2014-February/003194.html

Andreas

Forgot to include the list in my response.

Regards,
Patrik Lundin

Up to 86400 seconds, or 24h in this example.

Originally the final parameter in a SOA record was the minimum TTL, and doubled as a default TTL, but it's now used to control the time a NXDOMAIN should be cached, so in your example, it's 24 hours. Note that RFC 2308 actually limits this to 3 hours.

http://www.zytrax.com/books/dns/apd/rfc2308.txt has all the details, but http://www.zytrax.com/books/dns/ch8/soa.html gives a quick overview.

I don't believe unbound can control how long a negative cache record lasts, only the neg-cache-size (in bytes), but I believe that this will still respect cache-max-ttl as well.