* Marco d'Itri: > ; Bad cache > ; > ; intercom.it/DS [ttl 590265]
That TTL is extremely suspicious and is way longer than anything warranted by IT zone contents. Looks like the clock went back almost seven days since the entry was added to the cache. I suspect what happens is this: System wakes up with an incorrect clock. BIND performs name resolution, entering records in its cache with expiry relative to the incorrect time. chrony or ntpd corrects the time, setting it roughly seven days backwards. We now have an entry in the cache which expires very far in the future. Alternative theory: The clock is many days in the past after wakeup, BIND notices that the signature on the DS record is not yet valid, and caches this information until such time it becomes valid. But in this case, I'd expect that the entry from this “Bad cache” is expired automatically after the system clock has been corrected, so it wouldn't extend name lookup failures. Would you please check if the system log says anything about clock adjustments?
