RPZ enabled sets TTL to 0 for ANY queries
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Nov 7 19:01:52 UTC 2013
Hello
Sorry, for cross-posting this question. I've posted this question one
week ago on http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
already but got no answer. So, I try it here as well.
I use BIND 9.9.4 on a caching only resolver and have RPZ enabled. If I
do a lookup for any query-name with the query-type ANY, the TTLs of the
records in the answer section are always 0.
Occasionally, when I repeat the query several times with "+norec" I get
the expected answer with the "normal" TTL values of the records. If I
disable the RPZ configuration, the 0 TTL behavior disappears and I get
the "normal" TTL values of the records again.
To me, this looks like a bug. If this is not a bug, I'm wondering what's
the use case of this?
My RPZ configuration looks like the following:
// RPZ
response-policy { zone "rpz-test" policy disabled; };
Sample lookup of google.ch where the TTL is 0. 'dig google.ch ANY'
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3303
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;google.ch. IN ANY
;; ANSWER SECTION:
google.ch. 0 IN SOA ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch. 0 IN TXT "v=spf1 -all"
google.ch. 0 IN MX 10 aspmx.l.google.com.
google.ch. 0 IN MX 40 alt3.aspmx.l.google.com.
google.ch. 0 IN MX 50 alt4.aspmx.l.google.com.
google.ch. 0 IN MX 20 alt1.aspmx.l.google.com.
google.ch. 0 IN MX 30 alt2.aspmx.l.google.com.
google.ch. 0 IN AAAA 2a00:1450:400a:806::1018
google.ch. 0 IN A 173.194.116.55
google.ch. 0 IN A 173.194.116.63
google.ch. 0 IN A 173.194.116.56
google.ch. 0 IN NS ns4.google.com.
google.ch. 0 IN NS ns1.google.com.
google.ch. 0 IN NS ns2.google.com.
google.ch. 0 IN NS ns3.google.com.
;; AUTHORITY SECTION:
google.ch. 3598 IN NS ns1.google.com.
google.ch. 3598 IN NS ns2.google.com.
google.ch. 3598 IN NS ns3.google.com.
google.ch. 3598 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 172798 IN A 216.239.32.10
ns2.google.com. 172798 IN A 216.239.34.10
ns3.google.com. 172798 IN A 216.239.36.10
ns4.google.com. 172798 IN A 216.239.38.10
Repeating the lookup several times with "+norec" appended sometimes
returns the expected answer with "normal" TTL values.
'dig google.ch ANY +norec'
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36418
;; flags: qr ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;google.ch. IN ANY
;; ANSWER SECTION:
google.ch. 1 IN SOA ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch. 241 IN TXT "v=spf1 -all"
google.ch. 541 IN MX 20 alt1.aspmx.l.google.com.
google.ch. 541 IN MX 40 alt3.aspmx.l.google.com.
google.ch. 541 IN MX 10 aspmx.l.google.com.
google.ch. 541 IN MX 30 alt2.aspmx.l.google.com.
google.ch. 541 IN MX 50 alt4.aspmx.l.google.com.
google.ch. 241 IN AAAA 2a00:1450:400a:806::1018
google.ch. 241 IN A 173.194.116.55
google.ch. 241 IN A 173.194.116.63
google.ch. 241 IN A 173.194.116.56
google.ch. 3541 IN NS ns3.google.com.
google.ch. 3541 IN NS ns2.google.com.
google.ch. 3541 IN NS ns1.google.com.
google.ch. 3541 IN NS ns4.google.com.
;; AUTHORITY SECTION:
google.ch. 3541 IN NS ns4.google.com.
google.ch. 3541 IN NS ns2.google.com.
google.ch. 3541 IN NS ns3.google.com.
google.ch. 3541 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 172741 IN A 216.239.32.10
ns2.google.com. 172741 IN A 216.239.34.10
ns3.google.com. 172741 IN A 216.239.36.10
ns4.google.com. 172741 IN A 216.239.38.10
Daniel
More information about the bind-users
mailing list