Skip to content

TTL issue with resolver's cached and expired results for qtype ANY queries

When the resolver retrieves cached rdatasets from a database node in lib/ns/query.c:query_respond_any() for a qtype ANY query, and some of them are expired, those expired RRs are included in the answer with big (UNIX timestamp big) TTLs. Here's how to reproduce the issue.

Run a resolver locally with the following configuration:

options {
    directory ".";
    pid-file "named.pid";
    listen-on-v6 { none; };
    listen-on port 9053 { 127.0.0.1; };

    dnssec-validation auto;
    recursion yes;

    allow-recursion { 127.0.0.1; };
};

Query for github.com ANY:

$ dig @127.0.0.1 -p9053 github.com ANY

; <<>> DiG 9.18.7 <<>> @127.0.0.1 -p9053 github.com ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42497
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3e7b2b8f73eb454a01000000634fe23fe9aa5ebb8af2d349 (good)
;; QUESTION SECTION:
;github.com.			IN	ANY

;; ANSWER SECTION:
github.com.		3600	IN	CAA	0 issue "globalsign.com"
github.com.		3600	IN	CAA	0 issuewild "digicert.com"
github.com.		3600	IN	CAA	0 issue "digicert.com"
github.com.		3600	IN	TXT	"adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b"
github.com.		3600	IN	TXT	"google-site-verification=UTM-3akMgubp6tQtgEuAkYNYLyYAvpTnnSrDMWoDR3o"
github.com.		3600	IN	TXT	"MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805"
github.com.		3600	IN	TXT	"apple-domain-verification=RyQhdzTl6Z6x8ZP4"
github.com.		3600	IN	TXT	"MS=ms58704441"
github.com.		3600	IN	TXT	"MS=ms44452932"
github.com.		3600	IN	TXT	"docusign=087098e3-3d46-47b7-9b4e-8a23028154cd"
github.com.		3600	IN	TXT	"atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8"
github.com.		3600	IN	TXT	"v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1" "66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ip4:62.253.227.114 ~all"
github.com.		3600	IN	TXT	"stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f"
github.com.		3600	IN	MX	10 alt4.aspmx.l.google.com.
github.com.		3600	IN	MX	1 aspmx.l.google.com.
github.com.		3600	IN	MX	5 alt1.aspmx.l.google.com.
github.com.		3600	IN	MX	5 alt2.aspmx.l.google.com.
github.com.		3600	IN	MX	10 alt3.aspmx.l.google.com.
github.com.		900	IN	SOA	ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
github.com.		60	IN	A	140.82.114.3
github.com.		900	IN	NS	ns-520.awsdns-01.net.
github.com.		900	IN	NS	ns-421.awsdns-52.com.
github.com.		900	IN	NS	dns4.p08.nsone.net.
github.com.		900	IN	NS	ns-1707.awsdns-21.co.uk.
github.com.		900	IN	NS	dns1.p08.nsone.net.
github.com.		900	IN	NS	ns-1283.awsdns-32.org.
github.com.		900	IN	NS	dns3.p08.nsone.net.
github.com.		900	IN	NS	dns2.p08.nsone.net.

;; ADDITIONAL SECTION:
ns-421.awsdns-52.com.	172800	IN	A	205.251.193.165

;; Query time: 63 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1) (TCP)
;; WHEN: Wed Oct 19 11:40:47 UTC 2022
;; MSG SIZE  rcvd: 1670

As you can see, the A record has a TTL value of 60. Wait 60 seconds for it to expire, then repeat the query:

$ dig @127.0.0.1 -p9053 github.com ANY

; <<>> DiG 9.18.7 <<>> @127.0.0.1 -p9053 github.com ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27528
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: fdb7a33b7c5d8e0601000000634fe28a0d3f8db7e69dc8f7 (good)
;; QUESTION SECTION:
;github.com.			IN	ANY

;; ANSWER SECTION:
github.com.		3525	IN	CAA	0 issue "digicert.com"
github.com.		3525	IN	CAA	0 issuewild "digicert.com"
github.com.		3525	IN	CAA	0 issue "globalsign.com"
github.com.		3525	IN	TXT	"adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b"
github.com.		3525	IN	TXT	"atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8"
github.com.		3525	IN	TXT	"v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1" "66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ip4:62.253.227.114 ~all"
github.com.		3525	IN	TXT	"MS=ms44452932"
github.com.		3525	IN	TXT	"google-site-verification=UTM-3akMgubp6tQtgEuAkYNYLyYAvpTnnSrDMWoDR3o"
github.com.		3525	IN	TXT	"MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805"
github.com.		3525	IN	TXT	"apple-domain-verification=RyQhdzTl6Z6x8ZP4"
github.com.		3525	IN	TXT	"MS=ms58704441"
github.com.		3525	IN	TXT	"stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f"
github.com.		3525	IN	TXT	"docusign=087098e3-3d46-47b7-9b4e-8a23028154cd"
github.com.		3525	IN	MX	1 aspmx.l.google.com.
github.com.		3525	IN	MX	10 alt4.aspmx.l.google.com.
github.com.		3525	IN	MX	10 alt3.aspmx.l.google.com.
github.com.		3525	IN	MX	5 alt1.aspmx.l.google.com.
github.com.		3525	IN	MX	5 alt2.aspmx.l.google.com.
github.com.		825	IN	SOA	ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
github.com.		1666179707 IN	A	140.82.114.3
github.com.		825	IN	NS	ns-1283.awsdns-32.org.
github.com.		825	IN	NS	dns1.p08.nsone.net.
github.com.		825	IN	NS	dns2.p08.nsone.net.
github.com.		825	IN	NS	dns3.p08.nsone.net.
github.com.		825	IN	NS	dns4.p08.nsone.net.
github.com.		825	IN	NS	ns-421.awsdns-52.com.
github.com.		825	IN	NS	ns-520.awsdns-01.net.
github.com.		825	IN	NS	ns-1707.awsdns-21.co.uk.

;; ADDITIONAL SECTION:
ns-421.awsdns-52.com.	172725	IN	A	205.251.193.165

;; Query time: 0 msec
;; SERVER: 127.0.0.1#9053(127.0.0.1) (TCP)
;; WHEN: Wed Oct 19 11:42:02 UTC 2022
;; MSG SIZE  rcvd: 1670

As you can see, now the A record has a TTL value of 1666179707.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information