[Unbound-users] Maximum TTL for negative cache

Discussion:

Tomas Hozza

2015-06-08 07:43:09 UTC

Hi.

I was trying to find out, if it is possible to limit the maximum TTL for
caching negative answers with unbound. I was able to find
the limit for maximum TTL for any answers (cache-max-ttl) and for
bogus answers (val-bogus-ttl).

Is it really not possible to set negative cache maximum TTL?

In Fedora we plan to use Unbound + dnssec-trigger by default
from Fedora 23. For the beginning we would like to limit the
TTL for negative cache, since there were some concerns raised
on the Fedora devel-list. These were mostly resolved, but
to be safe, we still want to limit the TTL for negative cache.

Thanks!

Regards,

--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com

Yuri Schaeffer

2015-06-09 08:26:18 UTC

Permalink

Hi Tomas,

Post by Tomas Hozza
I was trying to find out, if it is possible to limit the maximum
TTL for caching negative answers with unbound. I was able to find
the limit for maximum TTL for any answers (cache-max-ttl) and for
bogus answers (val-bogus-ttl).
Is it really not possible to set negative cache maximum TTL?

I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.

//Yuri

Paul Wouters

2015-06-09 16:22:21 UTC

Permalink

Post by Yuri Schaeffer

Post by Tomas Hozza
Is it really not possible to set negative cache maximum TTL?

I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.

But that's not very useful.

The use case here is for instance when you're hotspotted and you will
get a bunch of false answers or DNS queries fail. You really want to
forget these practically instantly. But we don't want the real cache's
TTLs reduced to instantly, as that would uhm, remove the entire cache.

We can call it a bug instead of a feature if that makes Wouter happier :)

Paul

Tomas Hozza

2015-06-12 09:56:14 UTC

Permalink

Post by Paul Wouters

Post by Yuri Schaeffer

Post by Tomas Hozza
Is it really not possible to set negative cache maximum TTL?

I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.

But that's not very useful.
The use case here is for instance when you're hotspotted and you will
get a bunch of false answers or DNS queries fail. You really want to
forget these practically instantly. But we don't want the real cache's
TTLs reduced to instantly, as that would uhm, remove the entire cache.
We can call it a bug instead of a feature if that makes Wouter happier :)
Paul
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Yesterday I noticed that the maximum negative cache ttl is already in the upstream repo,
added on 29.5... So problem solved. ;)

Regards,

--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com