[knot-resolver-users] Re: Is it possible to disable "aggressive caching" (RFC 8198) ?

Hi, problem is my good old over-complicated internal DNS structure which conflicts with Internet DNS tree. Then getting fake NXDOMAINS (synthesized from aggressive cache). I'll try to shorten it. Let's have this configuration in config.yaml: dnssec: # Disable DNSSEC for internal domains negative-trust-anchors: - corp forward: - subtree: "." servers: - 10.11.2.36 options: authoritative: false dnssec: true When I query for example proxy.corp, it seem to work. Unless there is real traffic on resolver. When it is, after some time I am getting those fake NXDOMAIN responses. Not consistently - it changes in time. So far every research points to that RFC 8198 - aggressive cache. I believe this cannot be solved on knot-resolver, since negative-trust-anchors does not disable that aggressive cache for selected domains. Regards, Jiri Masek