Variable SOAs in negative responses
Dave Warren
davew at hireahit.com
Tue Jan 28 01:08:52 UTC 2014
On 2014-01-27 10:23, John Levine wrote:
> A friend (really) asks this question: they have some DNSBLs, which get
> a lot of queries. Sometimes the answer has A or TXT records, meaning
> the corresponding address is listed in the DNSBL, sometimes it's
> NXDOMAIN which means the address isn't.
>
> For addresses that aren't listed, some of the NXDOMAINs are a lot less
> likely to change than others, e.g, the address of an outbound mail
> server at a large mail provider is unlikely ever to be listed, but a
> random host at a hosting provider in India, who knows. So he'd like
> to have the TTLs on some of those NXDOMAINs be longer than others, by
> putting a different TTL in the SOA in the authority section.
>
> The DNS server isn't BIND, coding this up is easy enough. The question
> is what's likely to break at the other end.
>
> Question: what will BIND's cache do if there are inconsistent SOAs for
> NXDOMAINS in the same zone?
I've been wondering about this today, and I've come to the conclusion
that I don't know enough about BIND to really answer. But I wonder, does
BIND know it's the same zone?
At what level is the TTL for the NXDOMAIN cached? I'd assume it has to
be cached at the record level, without any particular knowledge or care
for what zone contains the record in question, no?
To simplify the question, if I'm wanting to query
z.y.x.w.bl.example.com, what happens if:
1) z.y.x.w.bl.example.com is it's own zone
2) y.x.w.bl.example.com is the zone and it includes A/TXT records for
z.y.x.w.bl.example.com
3) x.w.bl.example.com is the zone and it includes A/TXT records for
z.y.x.w.bl.example.com
In all cases, let's assume that example.com delegates bl.example.com. to
ns1.example.com/ns2.example.com, and any/all subzones are delegated to
the same, so once you hit bl.example.com, everything down-level is
answered by the same servers.
AFAIK, BIND is actually querying for z.y.x.w.bl.example.com right from
the root, and it's getting referrals to com, then to example.com, then
to bl.example.com which simply answers the original question instead of
referring it down level -- So does BIND even know or care whether
z.y.x.w.bl.example.com came from y.x.w.bl.example.com or bl.example.com,
assuming that the bl.example.com server returns the final record?
Or are my assumptions wrong at any level? And if so, given that the DNS
server isn't BIND, couldn't you fake every single IP being in it's own
zone, even if the "zones" are synthesized virtually? Or would that have
other side effects?
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
" In a perfect world... spammers would get caught, go to jail,
and share a cell with many men who have enlarged their penisses,
taken Viagra and are looking for a new relationship." - bash.org
More information about the bind-users
mailing list