In this episode of PING, Verisign fellow Duane Wessels discusses a late state (version 08) Internet draft he’s working on with two colleagues from Verisign. The draft is on Negative Caching of DNS Resolution Failures and is co-authored by Duane, William Carroll, and Matt Thomas

This episode discusses the behaviour of the DNS system overall in the face of failures to answer. There are already mechanisms to deny the existence of a queried name or a specific resource type. There are also mechanisms to define how long this negative answer should be cached, just as there are cache lifetimes defined for how long to hold valid answers, things that do exist, and have been supplied.

This time, it’s a cache of not being able to answer. The thing asked about? It might exist, or it might not. This cached data isn’t saying if it does exist or not, it’s a caching failure to be able to answer. As the draft states: “… a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data’s existence.”

Prior DNS specifications did provide guidance on caching in the context of positive responses and negative responses but the only guidance relating to failing to answer was to avoid aggressive re-querying of the nameservers that should be able to answer.

Read more about the draft, and other DNS-related work by Duane on the APNIC Blog:

• The draft Negative Caching of DNS Resolution Failures (2023, Version 08)
• Adding ZONEMD protections to the root zone (2023, APNIC Blog post)
• [Podcast] Adding ZONEMD protections to the root zone (2023, related podcast on PING)
• [Podcast] A look back at notable root zone changes (Duane discusses three significant root zone changes over the last decade)