plugin/cache: fix TTL for negative DNS responses (#2197)

plugin/cache/README.md

@@ -24,7 +24,6 @@ cache [TTL] [ZONES...]
 * **ZONES** zones it should cache for. If empty, the zones from the configuration block are used.
 
 Each element in the cache is cached according to its TTL (with **TTL** as the max).
-For the negative cache, the SOA's MinTTL value is used. A TTL of zero is not allowed.
 A cache is divided into 256 shards, each holding up to 512 items by default - for a total size
 of 256 * 512 = 131,072 items.
 
@@ -101,4 +100,4 @@ Enable caching for all zones, keep a positive cache size of 5000 and a negative
          denial 2500
     }
  }
- ~~~
+ ~~~

plugin/pkg/dnsutil/ttl.go

@@ -14,34 +14,21 @@ func MinimalTTL(m *dns.Msg, mt response.Type) time.Duration {
 		return MinimalDefaultTTL
 	}
 
-	// No data to examine, return a short ttl as a fail safe.
+	// No records or OPT is the only record, return a short ttl as a fail safe.
-	if len(m.Answer)+len(m.Ns)+len(m.Extra) == 0 {
+	if len(m.Answer)+len(m.Ns) == 0 &&
+		(len(m.Extra) == 0 || (len(m.Extra) == 1 && m.Extra[0].Header().Rrtype == dns.TypeOPT)) {
 		return MinimalDefaultTTL
 	}
 
 	minTTL := MaximumDefaulTTL
 	for _, r := range m.Answer {
-		switch mt {
+		if r.Header().Ttl < uint32(minTTL.Seconds()) {
-		case response.NameError, response.NoData:
+			minTTL = time.Duration(r.Header().Ttl) * time.Second
-			if r.Header().Rrtype == dns.TypeSOA {
-				minTTL = time.Duration(r.(*dns.SOA).Minttl) * time.Second
-			}
-		case response.NoError, response.Delegation:
-			if r.Header().Ttl < uint32(minTTL.Seconds()) {
-				minTTL = time.Duration(r.Header().Ttl) * time.Second
-			}
 		}
 	}
 	for _, r := range m.Ns {
-		switch mt {
+		if r.Header().Ttl < uint32(minTTL.Seconds()) {
-		case response.NameError, response.NoData:
+			minTTL = time.Duration(r.Header().Ttl) * time.Second
-			if r.Header().Rrtype == dns.TypeSOA {
-				minTTL = time.Duration(r.(*dns.SOA).Minttl) * time.Second
-			}
-		case response.NoError, response.Delegation:
-			if r.Header().Ttl < uint32(minTTL.Seconds()) {
-				minTTL = time.Duration(r.Header().Ttl) * time.Second
-			}
 		}
 	}
 
@@ -50,15 +37,8 @@ func MinimalTTL(m *dns.Msg, mt response.Type) time.Duration {
 			// OPT records use TTL field for extended rcode and flags
 			continue
 		}
-		switch mt {
+		if r.Header().Ttl < uint32(minTTL.Seconds()) {
-		case response.NameError, response.NoData:
+			minTTL = time.Duration(r.Header().Ttl) * time.Second
-			if r.Header().Rrtype == dns.TypeSOA {
-				minTTL = time.Duration(r.(*dns.SOA).Minttl) * time.Second
-			}
-		case response.NoError, response.Delegation:
-			if r.Header().Ttl < uint32(minTTL.Seconds()) {
-				minTTL = time.Duration(r.Header().Ttl) * time.Second
-			}
 		}
 	}
 	return minTTL

plugin/pkg/dnsutil/ttl_test.go

@@ -26,8 +26,8 @@ func TestMinimalTTL(t *testing.T) {
 		t.Fatalf("Expected type to be response.NoData, got %s", mt)
 	}
 	dur := MinimalTTL(m, mt) // minTTL on msg is 3600 (neg. ttl on SOA)
-	if dur != time.Duration(3600*time.Second) {
+	if dur != time.Duration(1800*time.Second) {
-		t.Fatalf("Expected minttl duration to be %d, got %d", 3600, dur)
+		t.Fatalf("Expected minttl duration to be %d, got %d", 1800, dur)
 	}
 
 	m.Rcode = dns.RcodeNameError
@@ -36,8 +36,8 @@ func TestMinimalTTL(t *testing.T) {
 		t.Fatalf("Expected type to be response.NameError, got %s", mt)
 	}
 	dur = MinimalTTL(m, mt) // minTTL on msg is 3600 (neg. ttl on SOA)
-	if dur != time.Duration(3600*time.Second) {
+	if dur != time.Duration(1800*time.Second) {
-		t.Fatalf("Expected minttl duration to be %d, got %d", 3600, dur)
+		t.Fatalf("Expected minttl duration to be %d, got %d", 1800, dur)
 	}
 }