[Dnsmasq-discuss] When HTTPS is added to rr-types of --cache-rr and --nonegcache is active non-HTTPS responses to HTTPS queries are not cached

Simon Kelley simon at thekelleys.org.uk
Thu Jul 10 15:57:01 UTC 2025


The whole reason that no-negcache exists is as a workaround for broken 
upstream servers which fail to find the value of a RR and just return an 
empty reply. That's less of a problem if the broken reply is not cached.

In your case, I think the answer is obvious. If you have broken upstream 
servers, what you have now is preferable to long-term outages from 
cached erroneous negative data. If your upstream servers don't have this 
pathology, (they alomost certainly don't)  don't configure no-negcache. 
It not meant for your situation and shouldn't be used.

Cheers,

Simon.



On 10/07/2025 16:14, Jay Guerette wrote:
> 
> The explicit DNS negative answer is NXDOMAIN and anything else should be 
> considered the will of the domain owner. A NOERROR response, even if 
> empty or unexpected, is a valid response. As many RRs will return an 
> empty response if not explicitly defined I agree that it doesn't make 
> sense to cache them. I disagree that we should discard a non-empty 
> response based on an opinion of it's validity.
> 
> If we can't agree on that premise I think we should have alternative 
> means to handle this. I'm explicitly configuring dnsmasq to cache these 
> RRs. Can we have additional controls around handling of non-empty responses?to 
> Currently ~50% of my household HTTP DNS traffic is for HTTPS records and 
> almost none of it is cached, so I'm open to ideas about improving that 
> situation that isn't just simply blocking them.
> 
> 
> On 7/10/25 9:57 AM, Simon Kelley wrote:
>> It depends what the _query_ is.
>>
>> If the query is for CNAME, then it's not an empty response, and it 
>> should be cache. In this case, the query is for an HTTPS record and 
>> the answer is a CNAME, but there's no answer for the target of the 
>> CNAME, so it's a negative response.
>>
>> The answer to an HTTPS query is no HTTPS record: that's a negative 
>> answer.
>>
>> Simon.
>> On 7/10/25 14:09, Jay Guerette wrote:
>>>
>>> The CNAME response is not a negative response.
>>>
>>> A negative response is an empty response; for example: dig -t HTTPS 
>>> foo.com
>>>
>>> It may not be the response you're hoping for or expecting but it is a 
>>> positive response configured by the domain owner and thus I think it 
>>> should be cached.
>>>
>>>
>>> On 7/10/25 6:43 AM, Simon Kelley wrote:
>>>>
>>>>
>>>> On 7/9/25 05:19, Jay Guerette wrote:
>>>>> Running dnsmasq 2.90 on Fedora 42.
>>>>>
>>>>> To reproduce:
>>>>> - verify caching is active and working
>>>>> - add cache-rr=HTTPS to your conf
>>>>> - verify no-negcache is NOT active in your conf
>>>>> - reload or restart dnsmasq
>>>>> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
>>>>> - verify the 2nd IN HTTPS response is served from cache
>>>>> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 
>>>>> www.example.com
>>>>> - verify the 2nd IN CNAME response is  served from cache
>>>>> - enable no-negcache in your conf
>>>>> - reload or restart dnsmasq
>>>>> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
>>>>> - verify the 2nd IN HTTPS response is served from cache
>>>>> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 
>>>>> www.example.com
>>>>> - observe the 2nd IN CNAME response is *NOT* served from cache
>>>>>
>>>>> Firefox is requesting an HTTPS record for every host name and 
>>>>> almost all return IN CNAME instead of IN HTTPS so almost none are 
>>>>> cached.
>>>>>
>>>>> I don't think that a CNAME response to an HTTPS request is a 
>>>>> negative response and expect that it would be cached.
>>>>>
>>>>
>>>> I think this is correct behaviour.
>>>>
>>>> The thing to understand here is that the CNAME chain doesn't end in 
>>>> a answer to the original question. This is therefore a negative 
>>>> response.
>>>>
>>>> You can think of the answer as being
>>>>
>>>> CNAME:www.example.com -> <NO ANSWER>
>>>>
>>>> It's telling you that there's no HTTPS data for www.example.com, and 
>>>> that's definitely a negative response.
>>>>
>>>> There are two differences here between your example.com and ietf.org 
>>>> tests. You are concentrating on the CNAME, but the difference that 
>>>> means the ietf.org gets cached and example.com doesn't is that 
>>>> www.ietf.org has an HTTPS records and www.example.com doesn't. The 
>>>> presence of CNAMEs is irrelevant.
>>>>
>>>>
>>>> Cheers,
>>>> Simon.
>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq- 
>>>>> discuss
>>>>
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq- 
>>>> discuss
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss




More information about the Dnsmasq-discuss mailing list