> In this example, trying to lookup a CAA record for a domain: > ... > # time host -t CAA jhmnet.net 192.168.136.181 ... > real 0m3.876s > > Run this again, immediately after: .. > real 0m0.016s > > Implying the cache is working as expected. (cache-max-negative-ttl: 120) > > However, after about ~9 seconds, the query goes back to taking > 3-4 seconds, implying its not. Sure enough a tcpdump on the > host running unbound shows it trying to access the jhmnet.net > Auth server(s) > > Why is unbound not respecting the 2 (120second) min max-negative-ttl?
The situation with jhmnet.net is that it's completely off the air, because neither of the two delegated-to name servers serve the zone, so you have a "double lame delegation". Negative caching revolves around negative authoritative answers, and this isn't that -- the resolver simply wasn't able to get any answer whatsoever. Regards, - Håvard