Discussion:
[Unbound-users] Maximum TTL for negative cache
Tomas Hozza
2015-06-08 07:43:09 UTC
Permalink
Hi.

I was trying to find out, if it is possible to limit the maximum TTL for
caching negative answers with unbound. I was able to find
the limit for maximum TTL for any answers (cache-max-ttl) and for
bogus answers (val-bogus-ttl).

Is it really not possible to set negative cache maximum TTL?

In Fedora we plan to use Unbound + dnssec-trigger by default
from Fedora 23. For the beginning we would like to limit the
TTL for negative cache, since there were some concerns raised
on the Fedora devel-list. These were mostly resolved, but
to be safe, we still want to limit the TTL for negative cache.

Thanks!

Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
Yuri Schaeffer
2015-06-09 08:26:18 UTC
Permalink
Hi Tomas,
Post by Tomas Hozza
I was trying to find out, if it is possible to limit the maximum
TTL for caching negative answers with unbound. I was able to find
the limit for maximum TTL for any answers (cache-max-ttl) and for
bogus answers (val-bogus-ttl).
Is it really not possible to set negative cache maximum TTL?
I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.

//Yuri
Paul Wouters
2015-06-09 16:22:21 UTC
Permalink
Post by Yuri Schaeffer
Post by Tomas Hozza
Is it really not possible to set negative cache maximum TTL?
I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.
But that's not very useful.

The use case here is for instance when you're hotspotted and you will
get a bunch of false answers or DNS queries fail. You really want to
forget these practically instantly. But we don't want the real cache's
TTLs reduced to instantly, as that would uhm, remove the entire cache.

We can call it a bug instead of a feature if that makes Wouter happier :)

Paul
Tomas Hozza
2015-06-12 09:56:14 UTC
Permalink
Post by Paul Wouters
Post by Yuri Schaeffer
Post by Tomas Hozza
Is it really not possible to set negative cache maximum TTL?
I've done some digging in the code and believe cache-max-ttl is
applicable to negative answers as well.
But that's not very useful.
The use case here is for instance when you're hotspotted and you will
get a bunch of false answers or DNS queries fail. You really want to
forget these practically instantly. But we don't want the real cache's
TTLs reduced to instantly, as that would uhm, remove the entire cache.
We can call it a bug instead of a feature if that makes Wouter happier :)
Paul
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Yesterday I noticed that the maximum negative cache ttl is already in the upstream repo,
added on 29.5... So problem solved. ;)

Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
Loading...