RPZ enabled sets TTL to 0 for ANY queries

Daniel Stirnimann daniel.stirnimann at switch.ch
Thu Nov 7 19:01:52 UTC 2013 

Hello

Sorry, for cross-posting this question. I've posted this question one
week ago on http://lists.redbarn.org/mailman/listinfo/dnsfirewalls
already but got no answer. So, I try it here as well.

I use BIND 9.9.4 on a caching only resolver and have RPZ enabled. If I
do a lookup for any query-name with the query-type ANY, the TTLs of the
records in the answer section are always 0.
Occasionally, when I repeat the query several times with "+norec" I  get
the expected answer with the "normal" TTL values of the records. If I
disable the RPZ configuration, the 0 TTL behavior disappears and I get
the "normal" TTL values of the records again.

To me, this looks like a bug. If this is not a bug, I'm wondering what's
the use case of this?


My RPZ configuration looks like the following:
        // RPZ
	response-policy { zone "rpz-test" policy disabled; };

Sample lookup of google.ch where the TTL is 0. 'dig google.ch ANY'

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3303
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.ch.			IN	ANY

;; ANSWER SECTION:
google.ch.		0	IN	SOA	ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch.		0	IN	TXT	"v=spf1 -all"
google.ch.		0	IN	MX	10 aspmx.l.google.com.
google.ch.		0	IN	MX	40 alt3.aspmx.l.google.com.
google.ch.		0	IN	MX	50 alt4.aspmx.l.google.com.
google.ch.		0	IN	MX	20 alt1.aspmx.l.google.com.
google.ch.		0	IN	MX	30 alt2.aspmx.l.google.com.
google.ch.		0	IN	AAAA	2a00:1450:400a:806::1018
google.ch.		0	IN	A	173.194.116.55
google.ch.		0	IN	A	173.194.116.63
google.ch.		0	IN	A	173.194.116.56
google.ch.		0	IN	NS	ns4.google.com.
google.ch.		0	IN	NS	ns1.google.com.
google.ch.		0	IN	NS	ns2.google.com.
google.ch.		0	IN	NS	ns3.google.com.

;; AUTHORITY SECTION:
google.ch.		3598	IN	NS	ns1.google.com.
google.ch.		3598	IN	NS	ns2.google.com.
google.ch.		3598	IN	NS	ns3.google.com.
google.ch.		3598	IN	NS	ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172798	IN	A	216.239.32.10
ns2.google.com.		172798	IN	A	216.239.34.10
ns3.google.com.		172798	IN	A	216.239.36.10
ns4.google.com.		172798	IN	A	216.239.38.10


Repeating the lookup several times with "+norec" appended sometimes
returns the expected answer with "normal" TTL values.
'dig google.ch ANY +norec'

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36418
;; flags: qr ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.ch.			IN	ANY

;; ANSWER SECTION:
google.ch.		1	IN	SOA	ns3.google.com. dns-admin.google.com. 1536918 900
900 1800 60
google.ch.		241	IN	TXT	"v=spf1 -all"
google.ch.		541	IN	MX	20 alt1.aspmx.l.google.com.
google.ch.		541	IN	MX	40 alt3.aspmx.l.google.com.
google.ch.		541	IN	MX	10 aspmx.l.google.com.
google.ch.		541	IN	MX	30 alt2.aspmx.l.google.com.
google.ch.		541	IN	MX	50 alt4.aspmx.l.google.com.
google.ch.		241	IN	AAAA	2a00:1450:400a:806::1018
google.ch.		241	IN	A	173.194.116.55
google.ch.		241	IN	A	173.194.116.63
google.ch.		241	IN	A	173.194.116.56
google.ch.		3541	IN	NS	ns3.google.com.
google.ch.		3541	IN	NS	ns2.google.com.
google.ch.		3541	IN	NS	ns1.google.com.
google.ch.		3541	IN	NS	ns4.google.com.

;; AUTHORITY SECTION:
google.ch.		3541	IN	NS	ns4.google.com.
google.ch.		3541	IN	NS	ns2.google.com.
google.ch.		3541	IN	NS	ns3.google.com.
google.ch.		3541	IN	NS	ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172741	IN	A	216.239.32.10
ns2.google.com.		172741	IN	A	216.239.34.10
ns3.google.com.		172741	IN	A	216.239.36.10
ns4.google.com.		172741	IN	A	216.239.38.10

Daniel

More information about the bind-users mailing list