Variable SOAs in negative responses
John Levine
johnl at iecc.com
Mon Jan 27 18:23:00 UTC 2014
A friend (really) asks this question: they have some DNSBLs, which get
a lot of queries. Sometimes the answer has A or TXT records, meaning
the corresponding address is listed in the DNSBL, sometimes it's
NXDOMAIN which means the address isn't.
For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows. So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.
The DNS server isn't BIND, coding this up is easy enough. The question
is what's likely to break at the other end.
Question: what will BIND's cache do if there are inconsistent SOAs for
NXDOMAINS in the same zone?
Bonus question: how does this answer change if we ever do DNSSEC?
(Since the server alrady generates the RRs on the fly, you can assume
it will do online signing.)
TIA and all that,
More information about the bind-users
mailing list