According to the 1998-03 rfc2308#section-7.1, if the resolution is not successful, and results in a SERVFAIL (e.g., from a timeout), then it MAY be cached, but if so, it MUST NOT be cached for longer than 5 minutes.
In practice, it appears that it's often not cached at all, or, if cached, is cached for a purely symbolic amount of time, like a single second.
Prior to BIND 9.9.6-S1 (released in 2014), apparently, SERVFAIL was not cached at all.
E.g., at the time of this question and in all versions of BIND released prior to 2014, the BIND recursive resolver DID NOT cache SERVFAIL, if the above commit and the documentation about the first introduction in 9.9.6-S1 is to be believed.
In the latest BIND, the default servfail-ttl setting has been set at 1s since 2015 (as of 2016), and has been hardcoded to a ceiling of 30s (in place of the RFC-mandated ceiling of 300s).
During 2014/2015, the default was 10s, and the ceiling was 300s, but, as per the quotes below, the higher numbers were found to be unreasonably pessimistic.
The outcome of caching SERVFAIL responses has included some situations where it was seen to be detrimental to the client experience, particularly when the causes of the SERVFAIL being presented to the client were transient and from a scenario where an immediate retry of the query would be a more appropriate action.
The second tactic is to claim that widespread DNS clients will do something Particularly Evil when they are unable to reach all DNS servers. The problem with this argument is that the claim is false. Any such client is clearly buggy, and will be unable to survive in the marketplace: consider what happens if the client's routers briefly go down, or if the client's network is temporarily flooded.
In summary, SERVFAIL is unlikely to be cached, but even if cached, it'll be at most a double- or even a single-digit number of seconds.
In BIND 9.11, a SERVFAIL response is cached for 1 second by default.
From the BIND Adminstrator Reference Manual:
servfail-ttl
Sets the number of seconds to cache a SERVFAIL response due to DNSSEC validation failure or other general server failure. If set to 0, SERVFAIL caching is disabled. The SERVFAIL cache is not consulted if a query has the CD (Checking Disabled) bit set; this allows a query that failed due to DNSSEC validation to be retried without waiting for the SERVFAIL TTL to expire.
The maximum value is 30 seconds; any higher value will be silently reduced. The default is 1 second.
This is implemented as according to RFC 2308, although in practise the maximum timeouts specified therein were found to be problematic, hence why the current default.
According to the 1998-03
rfc2308#section-7.1
, if the resolution is not successful, and results in aSERVFAIL
(e.g., from a timeout), then it MAY be cached, but if so, it MUST NOT be cached for longer than 5 minutes.In practice, it appears that it's often not cached at all, or, if cached, is cached for a purely symbolic amount of time, like a single second.
Prior to BIND 9.9.6-S1 (released in 2014), apparently,
SERVFAIL
was not cached at all.It was introduced with commit
a878301
(2014-09-04).E.g., at the time of this question and in all versions of BIND released prior to 2014, the BIND recursive resolver DID NOT cache
SERVFAIL
, if the above commit and the documentation about the first introduction in 9.9.6-S1 is to be believed.In the latest BIND, the default
servfail-ttl
setting has been set at1s
since 2015 (as of 2016), and has been hardcoded to a ceiling of30s
(in place of the RFC-mandated ceiling of300s
).See commit
90174e6
(2015-10-17).During 2014/2015, the default was
10s
, and the ceiling was300s
, but, as per the quotes below, the higher numbers were found to be unreasonably pessimistic.Noteworthy references (with respective quotes) include:
https://kb.isc.org/article/AA-01178/ (2014/2016-01-07)
http://cr.yp.to/djbdns/third-party.html (2003-01-11)
In summary,
SERVFAIL
is unlikely to be cached, but even if cached, it'll be at most a double- or even a single-digit number of seconds.In BIND 9.11, a
SERVFAIL
response is cached for 1 second by default.From the BIND Adminstrator Reference Manual:
Sets the number of seconds to cache a
SERVFAIL
response due to DNSSEC validation failure or other general server failure. If set to 0,SERVFAIL
caching is disabled. TheSERVFAIL
cache is not consulted if a query has theCD
(Checking Disabled) bit set; this allows a query that failed due to DNSSEC validation to be retried without waiting for theSERVFAIL
TTL to expire.The maximum value is 30 seconds; any higher value will be silently reduced. The default is 1 second.
This is implemented as according to RFC 2308, although in practise the maximum timeouts specified therein were found to be problematic, hence why the current default.
According to http://cr.yp.to/djbdns/third-party.html
The timeout won't be cached. It has no TTL yet.