Bad DNSSEC Cache in Microsoft DNS

Question

Hello,

I am running a recursive resolver on Windows Server 2019 and it is configured as a DNSSEC validator.

I am wondering whether Microsoft DNS has a feature called "bad cache" that is described in the DNSSEC standard (RFC-4035 paragraph 4.7). In other words, whenever a validating resolver encounters a bogus domain that fails validation, does it cache the validation failure? For how long (for the TTL of the bogus zone or some other value)?What if an exactly same query arrives later, will it recontact authoritative nameservers and attempt to re-validate the bogus data?

Thank you in advance!

Answer 1

Hi,

In regards to your issue, when trying to resolve a domain that has 'bogus issues', the DNS server should only return a SERVFAIL error status without any DNS data (an indication of general name resolution failure). Such as follows:

~ dig www.dnssec-failed.org

; <<>> DiG 9.7.2-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17692
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 108 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:08:29 2010
;; MSG SIZE rcvd: 39

So according to my research, the 'Bad DNSSEC Cache' will not exist in DNSSEC. For more details, please refer to:
https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
https://serverfault.com/questions/720293/dnsmasq-returns-false-bogus-result-for-dnssec-validation

-------If my answer is helpful to you, please remember to mark them as answer. Thank you!------

Regards
Gloria