Open Bug 2049173 Opened 7 days ago Updated 6 days ago

Honor SOA-derived negative TTL (RFC 2308) for DNS over DoH

Categories

(Core :: Networking: DNS, enhancement, P2)

Product:
Core
Component:
Networking: DNS
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: mail, Assigned: mail)

References

(Blocks 1 open bug)

Details

(Keywords: perf, Whiteboard: [necko-triaged])

Attachments

(1 file)

WIP: Bug 2049173 - Honor SOA-derived negative TTL (RFC 2308) for DNS over DoH
48 bytes, text/x-phabricator-request
Details | Review

Negative DNS answers (NXDOMAIN/NODATA) carry their cache lifetime via the SOA record in the authority section, computed as min(SOA MINIMUM, SOA record TTL) per RFC 2308 section 3. On the DoH/TRR path Firefox parsed the answer but skipped the authority section, so negative results were cached for a fixed lifetime (60s for address records via NEGATIVE_RECORD_LIFETIME; network.dns.negative_ttl_for_type_record, default 300s, for type records) rather than the zone-specified value.

This re-resolves negatives more often than the zone intends, most visibly in TRR mode where Firefox's fixed TTL is the only cache layer (the native path goes through getaddrinfo, which exposes no SOA and whose OS resolver already honors RFC 2308). For example, v4-only hosts (empty AAAA) re-issue a blocking AAAA query every 60s.

Proposed change (DoH/TRR only):

  • Parse the SOA MINIMUM from the authority section in DNSPacket and expose min(MINIMUM, SOA record TTL) via DNSPacket::GetNegativeTTL (MINIMUM is the trailing 32-bit field of the SOA RDATA, so MNAME/RNAME need not be parsed).
  • Use it for the negative-cache expiration in nsHostResolver, clamped to a maximum (1 hour) so a large zone MINIMUM cannot pin a negative for too long, with fallback to the existing fixed defaults when no SOA is present.
  • Add a TRRQuery profiler marker (Socket Thread) summarising each DoH query, including the negative TTL, for observability.

Precedent: bug 1743995 added positive-answer TTL parsing from DoH in the same decoder; this is the negative analog. The cap and the existing refresh-flag bypass are intended to avoid regressing bug 2044910 (NXDOMAIN cached too long).

Negative answers (NXDOMAIN/NODATA) carry their lifetime via the SOA in the
authority section, as min(SOA MINIMUM, SOA TTL). The DoH/TRR decoder skipped
that section, so negatives used a fixed lifetime.

Parse the SOA in DNSPacket (MINIMUM is the trailing RDATA field) and apply
min(MINIMUM, SOA TTL) to the negative cache via the host record, clamped to
1 hour, with fallback to the existing fixed defaults. Native resolution is
unchanged since getaddrinfo exposes no SOA. Add a TRRQuery profiler marker
for observability.

Blocks: 2049178
QA Whiteboard: [necko-triaged]
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: