Unbound doesn't cache ANY query result from some DNSSEC-signed zone.
In this case Unbound always emits query to name server per user query.
# unbound doesn't cache
dig @::1 jp. ANY
dig @::1 fr. ANY
# unbound caches
dig @::1 com. ANY
dig @::1 nl. ANY
I noticed that no-cached-name has NSEC3PARAM with TTL=0. It seems that
Unbound kills query result cache obtained by ANY query when any one of
the RRSets expires. Is it reason for no-cache?
I don't know whether it's Unbound's bug or NSEC3PARAM with TTL=0 is
illegal but Unbound serving applications making ANY-query (qmail?)
would make excessive queries to name servers.
Unbound doesn't cache ANY query result from some DNSSEC-signed
zone. In this case Unbound always emits query to name server per
user query.
# unbound doesn't cache dig @::1 jp. ANY dig @::1 fr. ANY
# unbound caches dig @::1 com. ANY dig @::1 nl. ANY
I noticed that no-cached-name has NSEC3PARAM with TTL=0. It seems
that Unbound kills query result cache obtained by ANY query when
any one of the RRSets expires. Is it reason for no-cache?
Yes TTL=0 is not cached. This is a must from the RFC.
Unbound does not 'gather up' RRs from cache to answer ANY, but asks
the set of RRs upstream. The search through the cache would slow it down.
I don't know whether it's Unbound's bug or NSEC3PARAM with TTL=0
is illegal but Unbound serving applications making ANY-query
(qmail?) would make excessive queries to name servers.
Yes. But not many normal ANY queries. TTL=0 is legal. Unbound's
behaviour for the ANY query is not really specified. So for cache
efficiency and easy it gets the query from upstream.
cache-min-ttl could perhaps change unbound's behaviour here.
I am not convinced that implementing ANY as 'all', encouraging
false expectations, is really the right thing to do.
Additionally, in the context of recent events - even if unbound
would only rarely be run as open recursive - it 'helps' authoritative
servers to see more queries.
I apologize if I am asking something that might be obvious to others I
am not well versed in DNS. Why is it helpful for authortative servers
to see more queries?
cache-min-ttl could perhaps change unbound's behaviour here.
Thank you for your suggestion and I confirmed
that "cache-min-ttl: <small number>" leads Unbound to cache
such ANY-query results.
I am not convinced that implementing ANY as 'all', encouraging
false expectations, is really the right thing to do.
Additionally, in the context of recent events - even if unbound
would only rarely be run as open recursive - it 'helps' authoritative
servers to see more queries.
At nameserver-side, giving non-zero TTL for NSEC3PARAM records
might be an workaround against this issue.
Unfortunately OpenDNSSEC decided to set zero-TTL
to NSEC3PARAM of signing zones [1].