Variable SOAs in negative responses
Mark Andrews
marka at isc.org
Tue Jan 28 01:27:25 UTC 2014
In message <20140127182300.13609.qmail at joyce.lan>, "John Levine" writes:
> A friend (really) asks this question: they have some DNSBLs, which get
> a lot of queries. Sometimes the answer has A or TXT records, meaning
> the corresponding address is listed in the DNSBL, sometimes it's
> NXDOMAIN which means the address isn't.
>
> For addresses that aren't listed, some of the NXDOMAINs are a lot less
> likely to change than others, e.g, the address of an outbound mail
> server at a large mail provider is unlikely ever to be listed, but a
> random host at a hosting provider in India, who knows. So he'd like
> to have the TTLs on some of those NXDOMAINs be longer than others, by
> putting a different TTL in the SOA in the authority section.
>
> The DNS server isn't BIND, coding this up is easy enough. The question
> is what's likely to break at the other end.
Nothing.
> Question: what will BIND's cache do if there are inconsistent SOAs for
> NXDOMAINS in the same zone?
Nothing. Negative cache entries are independent of each other.
> Bonus question: how does this answer change if we ever do DNSSEC?
> (Since the server alrady generates the RRs on the fly, you can assume
> it will do online signing.)
Just generate the RRSIG's using the largest TTL as the original
ttl. You can always send smaller TTL values as that is what you
get when talking to other caches.
> TIA and all that,
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list