Comment by simoncion

7 hours ago

> So clients querying a broken domain will retry each of their configured DNS servers, our caching layer (Unbound) will also retry each of their upstreams etc...

I expect this is why BIND 9 has the 'servfail-ttl' option. [0]

Turns out that there's a standards-track RFC from 1998 that explicitly permits caching SERVFAIL responses. [1] Section 8 of that document suggests that this behavior was permitted by RFC 1034 (published back in 1987).

[0] <https://bind9.readthedocs.io/en/v9.18.42/reference.html#name...>

[1] <https://www.rfc-editor.org/rfc/rfc2308#section-7.1>

0 comments

simoncion

Reply