Bad DNSSEC Cache in Microsoft DNS

Yevheniya 1 Reputation point


I am running a recursive resolver on Windows Server 2019 and it is configured as a DNSSEC validator.

I am wondering whether Microsoft DNS has a feature called "bad cache" that is described in the DNSSEC standard (RFC-4035 paragraph 4.7). In other words, whenever a validating resolver encounters a bogus domain that fails validation, does it cache the validation failure? For how long (for the TTL of the bogus zone or some other value)?What if an exactly same query arrives later, will it recontact authoritative nameservers and attempt to re-validate the bogus data?

Thank you in advance!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,193 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Gloria Gu 3,811 Reputation points


    In regards to your issue, when trying to resolve a domain that has 'bogus issues', the DNS server should only return a SERVFAIL error status without any DNS data (an indication of general name resolution failure). Such as follows:

    ~ dig

    ; <<>> DiG 9.7.2-P2 <<>>
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17692
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ; IN A

    ;; Query time: 108 msec
    ;; SERVER:
    ;; WHEN: Fri Nov 19 16:08:29 2010
    ;; MSG SIZE rcvd: 39

    So according to my research, the 'Bad DNSSEC Cache' will not exist in DNSSEC. For more details, please refer to:

    -------If my answer is helpful to you, please remember to mark them as answer. Thank you!------