Merge branch '613-add-option-for-min-cache' into 'master'

Add min-cache-ttl and min-ncache-ttl keywords

Closes #613

See merge request isc-projects/bind9!889

CHANGES

@@ -1,3 +1,6 @@
+5091.	[func]		Two new global and per-view options max-cache-ttl
+			and min-ncache-ttl [GL #613]
+
 5090.	[bug]		dig and mdig failed to properly preparse dash value
 			pairs when value was a seperate argument and started
 			with a dash. [GL #584]

bin/named/config.c

@@ -174,6 +174,8 @@ options {\n\
 	max-recursion-queries 75;\n\
 	max-stale-ttl 604800; /* 1 week */\n\
 	message-compression yes;\n\
+	min-ncache-ttl 0; /* 0 hours */\n\
+	min-cache-ttl 0; /* 0 seconds */\n\
 #	min-roots <obsolete>;\n\
 	minimal-any false;\n\
 	minimal-responses no-auth-recursive;\n\

bin/named/named.conf.docbook

@@ -337,6 +337,8 @@ options {
 	memstatistics <replaceable>boolean</replaceable>;
 	memstatistics-file <replaceable>quoted_string</replaceable>;
 	message-compression <replaceable>boolean</replaceable>;
+	min-cache-ttl <replaceable>ttlval</replaceable>;
+	min-ncache-ttl <replaceable>ttlval</replaceable>;
 	min-refresh-time <replaceable>integer</replaceable>;
 	min-retry-time <replaceable>integer</replaceable>;
 	minimal-any <replaceable>boolean</replaceable>;

bin/named/server.c

@@ -4117,8 +4117,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	result = named_config_get(maps, "max-ncache-ttl", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->maxncachettl = cfg_obj_asuint32(obj);
-	if (view->maxncachettl > 7 * 24 * 3600)
-		view->maxncachettl = 7 * 24 * 3600;
+
+	obj = NULL;
+	result = named_config_get(maps, "min-cache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->mincachettl = cfg_obj_asuint32(obj);
+
+	obj = NULL;
+	result = named_config_get(maps, "min-ncache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->minncachettl = cfg_obj_asuint32(obj);
 
 	obj = NULL;
 	result = named_config_get(maps, "synth-from-dnssec", &obj);

bin/tests/named.conf

@@ -46,6 +46,7 @@ options {
 	memstatistics-file "named.memstats";	// _PATH_MEMSTATS
 
 	max-cache-ttl 999;
+	min-cache-ttl 66;
 	auth-nxdomain yes;		// always set AA on NXDOMAIN.
 					// don't set this to 'no' unless
 					// you know what you're doing -- older
@@ -148,6 +149,7 @@ options {
 	min-refresh-time 777;
 
 	max-ncache-ttl 333;
+	min-ncache-ttl 22;
 	min-roots 15;
 	serial-queries 34;
 

bin/tests/system/Makefile.in

@@ -69,7 +69,7 @@ PARALLEL = rpzrecurse serve-stale dnssec \
 	   rrchecker rrl rrsetorder rsabigexponent runtime \
 	   sfcache smartsign sortlist \
 	   spf staticstub statistics statschannel stub synthfromdnssec \
-	   tcp tools tsig tsiggss \
+	   tcp tools tsig tsiggss ttl \
 	   unknown upforwd verify views wildcard \
 	   xfer xferquota zero zonechecks
 

bin/tests/system/checkconf/bad-maxncachettl-2.conf

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view two {
+	max-ncache-ttl 604801;
+};

bin/tests/system/checkconf/bad-maxncachettl-3.conf

@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view three {
+	max-ncache-ttl 4000000000;
+};
+view four {
+	max-ncache-ttl -1;
+};

bin/tests/system/checkconf/bad-maxncachettl-4.conf

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view four {
+	max-ncache-ttl -1;
+};

bin/tests/system/checkconf/bad-mincachettl.conf

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 1x;
+};

bin/tests/system/checkconf/bad-minncachettl.conf

@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 1x;
+};

bin/tests/system/checkconf/good-maxncachettl.conf

@@ -16,7 +16,7 @@ view two {
 	max-ncache-ttl 86400;
 };
 view three {
-	max-ncache-ttl 4000000000;
+	max-ncache-ttl 604800;
 };
 view four {
 	max-ncache-ttl 3600s;

bin/tests/system/checkconf/good-mincachettl.conf

@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 0;
+};
+view two {
+	min-cache-ttl 30;
+};
+view three {
+	min-cache-ttl 60;
+};
+view four {
+	min-cache-ttl 90s;
+};
+view five {
+	min-cache-ttl 1m;
+};

bin/tests/system/checkconf/good-minncachettl.conf

@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 0;
+};
+view two {
+	min-ncache-ttl 30;
+};
+view three {
+	min-ncache-ttl 60;
+};
+view four {
+	min-ncache-ttl 90s;
+};
+view five {
+	min-ncache-ttl 1m;
+};

bin/tests/system/conf.sh.in

@@ -15,10 +15,7 @@
 #
 
 # Find the top of the BIND9 tree.
-TOP=${SYSTEMTESTTOP:=.}/../../..
-
-# Make it absolute so that it continues to work after we cd.
-TOP=`cd $TOP && pwd`
+TOP=@abs_top_builddir@
 
 # Default algorithm for testing
 DEFAULT_ALGORITHM=ECDSAP256SHA256
@@ -105,7 +102,7 @@ PARALLELDIRS="acl additional addzone allow-query auth autosign \
 	rrchecker rrl rrsetorder rsabigexponent runtime \
 	serve-stale sfcache smartsign sortlist \
 	spf staticstub statistics statschannel stub synthfromdnssec \
-	tcp tools tsig tsiggss \
+	tcp tools tsig tsiggss ttl \
 	unknown upforwd verify views wildcard \
 	xfer xferquota zero zonechecks"
 

bin/tests/system/conf.sh.win32

@@ -100,7 +100,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \
 	 reclimit redirect resolver rndc rpz rrchecker rrl \
 	 rrsetorder rsabigexponent runtime sfcache smartsign sortlist \
 	 spf staticstub statistics statschannel stub tcp tkey tsig \
-	 tsiggss unknown upforwd verify views wildcard xfer xferquota \
+	 tsiggss ttl unknown upforwd verify views wildcard xfer xferquota \
 	 zero zonechecks"
 
 # List of tests that use unique ports (other than 5300 and 9953). These

bin/tests/system/ttl/clean.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. ../conf.sh
+
+rm -f ./dig.out.*
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./ns*/named.lock
+rm -f ./ns*/_default.nzf
+rm -f ./ns*/_default.nzd*
+rm -f ./ns*/managed-keys.bind* ns*/*.mkeys*

bin/tests/system/ttl/ns1/max-example.db

@@ -0,0 +1,9 @@
+max-example.	1209600	IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				1209600    ; minimum (2 weeks)
+				)
+max-example.	1209600	IN NS	ns.max-example.
+ns.max-example.	1209600	IN A	10.53.0.1

bin/tests/system/ttl/ns1/min-example.db

@@ -0,0 +1,9 @@
+min-example.	0	IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				0          ; minimum (0 seconds)
+				)
+min-example.	0	IN NS	ns.min-example.
+ns.min-example.	0	IN A	10.53.0.1

bin/tests/system/ttl/ns1/named.conf.in

@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	check-integrity no;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "min-example" {
+	type master;
+	file "min-example.db";
+};
+
+zone "max-example" {
+	type master;
+	file "max-example.db";
+};

bin/tests/system/ttl/ns2/hints.db

@@ -0,0 +1,2 @@
+. 60 IN NS ns.nil.
+ns.nil. 60 IN A 10.53.0.1

bin/tests/system/ttl/ns2/named.conf.in

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	servfail-ttl 0;
+	max-recursion-depth 12;
+	recursion yes;
+	dnssec-validation no;
+	min-cache-ttl 60;
+	min-ncache-ttl 30;
+	max-cache-ttl 120;
+	max-ncache-ttl 60;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints.db"; };

bin/tests/system/ttl/setup.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+. ../conf.sh
+
+$SHELL clean.sh
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf

bin/tests/system/ttl/tests.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+. ../conf.sh
+
+dig_with_options() { "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@"; }
+
+status=0
+t=0
+
+echo_i "testing min-cache-ttl"
+t=$((t+1))
+dig_with_options IN SOA min-example. @10.53.0.2 > dig.out.${t}
+TTL=$(< dig.out.${t} awk '{ print $2; }')
+[ "$TTL" -eq 60 ] || status=$((status+1))
+
+echo_i "testing min-ncache-ttl"
+t=$((t+1))
+dig_with_options IN MX min-example. @10.53.0.2 > dig.out.${t}
+TTL=$(< dig.out.${t} awk '{ print $2; }')
+[ "$TTL" -eq 30 ] || status=$((status+1))
+
+echo_i "testing max-cache-ttl"
+t=$((t+1))
+dig_with_options IN SOA max-example. @10.53.0.2 > dig.out.${t}
+TTL=$(< dig.out.${t} awk '{ print $2; }')
+[ "$TTL" -eq 120 ] || status=$((status+1))
+
+echo_i "testing max-ncache-ttl"
+t=$((t+1))
+dig_with_options IN MX max-example. @10.53.0.2 > dig.out.${t}
+TTL=$(< dig.out.${t} awk '{ print $2; }')
+[ "$TTL" -eq 60 ] || status=$((status+1))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1

doc/arm/Bv9ARM-book.xml

@@ -4311,6 +4311,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		  <command>max-ncache-ttl</command>,
 		  <command>max-stale-ttl</command>,
 		  <command>max-cache-size</command>, and
+		  <command>min-cache-ttl</command>,
+		  <command>min-ncache-ttl</command>,
 		  <command>zero-no-soa-ttl</command>.
 		</para>
 
@@ -8995,6 +8997,38 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>min-ncache-ttl</command></term>
+	      <listitem>
+		<para>
+		  To reduce network traffic and increase performance, the server
+		  stores negative answers. <command>min-ncache-ttl</command> is
+		  used to set a minimum retention time for these answers in the
+		  server in seconds.  For convenience, TTL-style time unit
+		  suffixes may be used to specify the value.  The default
+		  <command>min-ncache-ttl</command> is <literal>0</literal>
+		  seconds.  <command>min-ncache-ttl</command> cannot exceed 90
+		  seconds and will be truncated to 90 seconds if set to a
+		  greater value.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>min-cache-ttl</command></term>
+	      <listitem>
+		<para>
+		  Sets the minimum time for which the server will cache ordinary
+		  (positive) answers in seconds. For convenience, TTL-style time
+		  unit suffixes may be used to specify the value. The default
+		  <command>min-cache-ttl</command> is <literal>0</literal>
+		  seconds. <command>min-cache-ttl</command> cannot exceed 90
+		  seconds and will be truncated to 90 seconds if set to a
+		  greater value.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>max-ncache-ttl</command></term>
 	      <listitem>

doc/arm/notes.xml

@@ -216,6 +216,22 @@
 	  must be only enabled for the systems where FIPS mode is available.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Two new configuration options <command>min-cache-ttl</command> and
+	  <command>min-ncache-ttl</command> has been added to allow the BIND 9
+	  administrator to override the minimum TTL in the received DNS records
+	  (positive caching) and for storing the information about non-existent
+	  records (negative caching).  The configured minimum TTL for both
+	  configuration options cannot exceed 90 seconds.
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  The configuration option <command>max-ncache-ttl</command> was
+	  silently capped to 7 days, and the upper limit is now enforced.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>
 

doc/misc/options

@@ -89,9 +89,9 @@ options {
         bindkeys-file <quoted_string>;
         blackhole { <address_match_element>; ... };
         cache-file <quoted_string>;
-        catalog-zones { zone <quoted_string> [ default-masters [ port
-            <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
-            port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
             <string> ]; ... } ] [ zone-directory <quoted_string> ] [
             in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
         check-dup-records ( fail | warn | ignore );
@@ -183,7 +183,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc );
         fstrm-set-output-queue-size <integer>;
         fstrm-set-reopen-interval <ttlval>;
-        geoip-directory ( <quoted_string> | none );
+        geoip-directory ( <quoted_string> | none ); // not configured
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // obsolete
@@ -234,6 +234,8 @@ options {
         memstatistics <boolean>;
         memstatistics-file <quoted_string>;
         message-compression <boolean>;
+        min-cache-ttl <ttlval>;
+        min-ncache-ttl <ttlval>;
         min-refresh-time <integer>;
         min-retry-time <integer>;
         min-roots <integer>; // not implemented
@@ -305,18 +307,17 @@ options {
         resolver-retry-interval <integer>;
         response-padding { <address_match_element>; ... } block-size
             <integer>;
-        response-policy { zone <quoted_string> [ log <boolean> ] [
-            max-policy-ttl <ttlval> ] [ min-update-interval <ttlval> ] [
-            policy ( cname | disabled | drop | given | no-op | nodata |
-            nxdomain | passthru | tcp-only <quoted_string> ) ] [
-            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
-            nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
-            max-policy-ttl <ttlval> ] [ min-update-interval <ttlval> ] [
-            min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
-            qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
-            nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
-            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
-            } ];
+        response-policy { zone <string> [ log <boolean> ] [ max-policy-ttl
+            <ttlval> ] [ min-update-interval <ttlval> ] [ policy ( cname |
+            disabled | drop | given | no-op | nodata | nxdomain | passthru
+            | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [
+            nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [
+            break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
+            min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;
@@ -457,9 +458,9 @@ view <string> [ <class> ] {
         auth-nxdomain <boolean>; // default changed
         auto-dnssec ( allow | maintain | off );
         cache-file <quoted_string>;
-        catalog-zones { zone <quoted_string> [ default-masters [ port
-            <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
-            port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+        catalog-zones { zone <string> [ default-masters [ port <integer> ]
+            [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port
+            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
             <string> ]; ... } ] [ zone-directory <quoted_string> ] [
             in-memory <boolean> ] [ min-update-interval <ttlval> ]; ... };
         check-dup-records ( fail | warn | ignore );
@@ -574,6 +575,8 @@ view <string> [ <class> ] {
         max-udp-size <integer>;
         max-zone-ttl ( unlimited | <ttlval> );
         message-compression <boolean>;
+        min-cache-ttl <ttlval>;
+        min-ncache-ttl <ttlval>;
         min-refresh-time <integer>;
         min-retry-time <integer>;
         min-roots <integer>; // not implemented
@@ -635,18 +638,17 @@ view <string> [ <class> ] {
         resolver-retry-interval <integer>;
         response-padding { <address_match_element>; ... } block-size
             <integer>;
-        response-policy { zone <quoted_string> [ log <boolean> ] [
-            max-policy-ttl <ttlval> ] [ min-update-interval <ttlval> ] [
-            policy ( cname | disabled | drop | given | no-op | nodata |
-            nxdomain | passthru | tcp-only <quoted_string> ) ] [
-            recursive-only <boolean> ] [ nsip-enable <boolean> ] [
-            nsdname-enable <boolean> ]; ... } [ break-dnssec <boolean> ] [
-            max-policy-ttl <ttlval> ] [ min-update-interval <ttlval> ] [
-            min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
-            qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [
-            nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
-            dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
-            } ];
+        response-policy { zone <string> [ log <boolean> ] [ max-policy-ttl
+            <ttlval> ] [ min-update-interval <ttlval> ] [ policy ( cname |
+            disabled | drop | given | no-op | nodata | nxdomain | passthru
+            | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [
+            nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [
+            break-dnssec <boolean> ] [ max-policy-ttl <ttlval> ] [
+            min-update-interval <ttlval> ] [ min-ns-dots <integer> ] [
+            nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ]
+            [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [
+            nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [
+            dnsrps-options { <unspecified-text> } ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;

lib/bind9/check.c

@@ -954,15 +954,25 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	uint32_t lifetime = 3600;
 	const char *ccalg = "aes";
 
+	/*
+	 * { "name", scale, value }
+	 * (scale * value) <= UINT32_MAX
+	 */
 	static intervaltable intervals[] = {
-	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
+		{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
+
+		/* minimum and maximum cache and negative cache TTLs */
+		{ "min-cache-ttl", 1, MAX_MIN_CACHE_TTL },	/* 90 secs */
+		{ "max-cache-ttl", 1, UINT32_MAX },		/* no limit */
+		{ "min-ncache-ttl", 1, MAX_MIN_NCACHE_TTL},	/* 90 secs */
+		{ "max-ncache-ttl", 1, MAX_MAX_NCACHE_TTL },	/*  7 days */
 	};
 
 	static const char *server_contact[] = {

lib/bind9/include/bind9/check.h

@@ -20,6 +20,18 @@
 
 #include <isccfg/cfg.h>
 
+#ifndef MAX_MIN_CACHE_TTL
+#define MAX_MIN_CACHE_TTL 90
+#endif /* MAX_MIN_CACHE_TTL */
+
+#ifndef MAX_MIN_NCACHE_TTL
+#define MAX_MIN_NCACHE_TTL 90
+#endif /* MAX_MIN_NCACHE_TTL */
+
+#ifndef MAX_MAX_NCACHE_TTL
+#define MAX_MAX_NCACHE_TTL 7 * 24 * 3600
+#endif /* MAX_MAX_NCACHE_TTL */
+
 ISC_LANG_BEGINDECLS
 
 isc_result_t

lib/dns/include/dns/ncache.h

@@ -56,12 +56,14 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdatatype_t covers, isc_stdtime_t now,
+	       dns_ttl_t minttl, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset);
 isc_result_t
 dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_stdtime_t now,
+		     dns_ttl_t minttl, dns_ttl_t maxttl,
 		     bool optout, dns_rdataset_t *addedrdataset);
 /*%<
  * Convert the authority data from 'message' into a negative cache

lib/dns/include/dns/view.h

@@ -154,6 +154,8 @@ struct dns_view {
 	bool			sendcookie;
 	dns_ttl_t			maxcachettl;
 	dns_ttl_t			maxncachettl;
+	dns_ttl_t			mincachettl;
+	dns_ttl_t			minncachettl;
 	uint32_t			nta_lifetime;
 	uint32_t			nta_recheck;
 	char				*nta_file;

lib/dns/ncache.c

@@ -45,7 +45,8 @@
 
 static isc_result_t
 addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  dns_rdatatype_t covers, isc_stdtime_t now,
+	  dns_ttl_t minttl, dns_ttl_t maxttl,
 	  bool optout, bool secure,
 	  dns_rdataset_t *addedrdataset);
 
@@ -95,26 +96,29 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdatatype_t covers, isc_stdtime_t now,
+	       dns_ttl_t minttl, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset)
 {
-	return (addoptout(message, cache, node, covers, now, maxttl,
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
 			  false, false, addedrdataset));
 }
 
 isc_result_t
 dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_stdtime_t now,
+		     dns_ttl_t minttl, dns_ttl_t maxttl,
 		     bool optout, dns_rdataset_t *addedrdataset)
 {
-	return (addoptout(message, cache, node, covers, now, maxttl,
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
 			  optout, true, addedrdataset));
 }
 
 static isc_result_t
 addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  dns_rdatatype_t covers, isc_stdtime_t now,
+	  dns_ttl_t minttl, dns_ttl_t maxttl,
 	  bool optout, bool secure,
 	  dns_rdataset_t *addedrdataset)
 {
@@ -179,10 +183,15 @@ addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 				if (type == dns_rdatatype_soa ||
 				    type == dns_rdatatype_nsec ||
 				    type == dns_rdatatype_nsec3) {
-					if (ttl > rdataset->ttl)
+					if (ttl > rdataset->ttl) {
 						ttl = rdataset->ttl;
-					if (trust > rdataset->trust)
+					}
+					if (ttl < minttl) {
+						ttl = minttl;
+					}
+					if (trust > rdataset->trust) {
 						trust = rdataset->trust;
+					}
 					/*
 					 * Copy the owner name to the buffer.
 					 */

lib/dns/resolver.c

@@ -592,7 +592,9 @@ static bool fctx_unlink(fetchctx_t *fctx);
 static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_db_t *cache, dns_dbnode_t *node,
 				      dns_rdatatype_t covers,
-				      isc_stdtime_t now, dns_ttl_t maxttl,
+				      isc_stdtime_t now,
+				      dns_ttl_t minttl,
+				      dns_ttl_t maxttl,
 				      bool optout,
 				      bool secure,
 				      dns_rdataset_t *ardataset,
@@ -5464,8 +5466,10 @@ validated(isc_task_t *task, isc_event_t *event) {
 			ttl = 0;
 
 		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-					   covers, now, ttl, vevent->optout,
-					   vevent->secure, ardataset, &eresult);
+					   covers, now,
+					   fctx->res->view->minncachettl, ttl,
+					   vevent->optout, vevent->secure,
+					   ardataset, &eresult);
 		if (result != ISC_R_SUCCESS)
 			goto noanswer_response;
 		goto answer_response;
@@ -5958,6 +5962,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			rdataset->ttl = res->view->maxcachettl;
 		}
 
+		/*
+		 * Enforce configured minimum cache TTL.
+		 */
+		if (rdataset->ttl < res->view->mincachettl) {
+			rdataset->ttl = res->view->mincachettl;
+		}
+
 		/*
 		 * Mark the rdataset as being prefetch eligible.
 		 */
@@ -6346,7 +6357,8 @@ cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
  */
 static isc_result_t
 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+		  dns_rdatatype_t covers, isc_stdtime_t now,
+		  dns_ttl_t minttl, dns_ttl_t maxttl,
 		  bool optout, bool secure,
 		  dns_rdataset_t *ardataset, isc_result_t *eresultp)
 {
@@ -6359,10 +6371,10 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	}
 	if (secure)
 		result = dns_ncache_addoptout(message, cache, node, covers,
-					      now, maxttl, optout, ardataset);
+					      now, minttl, maxttl, optout, ardataset);
 	else
 		result = dns_ncache_add(message, cache, node, covers, now,
-					maxttl, ardataset);
+					minttl, maxttl, ardataset);
 	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
 		/*
 		 * If the cache now contains a negative entry and we
@@ -6537,8 +6549,9 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		ttl = 0;
 
 	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-				   covers, now, ttl, false,
-				   false, ardataset, &eresult);
+				   covers, now,
+				   fctx->res->view->minncachettl, ttl,
+				   false, false, ardataset, &eresult);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;
 

lib/isccfg/namedconf.c

@@ -1929,6 +1929,8 @@ view_clauses[] = {
 	{ "max-stale-ttl", &cfg_type_ttlval, 0 },
 	{ "max-udp-size", &cfg_type_uint32, 0 },
 	{ "message-compression", &cfg_type_boolean, 0 },
+	{ "min-cache-ttl", &cfg_type_ttlval, 0 },
+	{ "min-ncache-ttl", &cfg_type_ttlval, 0 },
 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
 	{ "minimal-any", &cfg_type_boolean, 0 },
 	{ "minimal-responses", &cfg_type_minimal, 0 },

util/copyrights

@@ -1089,6 +1089,14 @@
 ./bin/tests/system/tsiggss/prereq.sh		SH	2010,2011,2012,2014,2016,2018
 ./bin/tests/system/tsiggss/setup.sh		SH	2010,2011,2012,2014,2016,2017,2018
 ./bin/tests/system/tsiggss/tests.sh		SH	2010,2011,2014,2016,2017,2018
+./bin/tests/system/ttl/clean.sh			X	2018
+./bin/tests/system/ttl/ns1/max-example.db	X	2018
+./bin/tests/system/ttl/ns1/min-example.db	X	2018
+./bin/tests/system/ttl/ns1/named.conf.in	X	2018
+./bin/tests/system/ttl/ns2/hints.db		X	2018
+./bin/tests/system/ttl/ns2/named.conf.in	X	2018
+./bin/tests/system/ttl/setup.sh			X	2018
+./bin/tests/system/ttl/tests.sh			X	2018
 ./bin/tests/system/unknown/clean.sh		SH	2000,2001,2004,2007,2012,2013,2014,2015,2016,2018
 ./bin/tests/system/unknown/large.out		X	2012,2018
 ./bin/tests/system/unknown/ns3/sign.sh		SH	2012,2014,2016,2017,2018