[RPZ] DNSRPZ TTL Feature

P Vixie paul at redbarn.org
Fri Apr 19 18:33:54 UTC 2013


I think in the grand scheme of rpz we should fully pirate content we consider evil, but otherwise leave traffic alone.

Open dns holds data beyond its ttl in some cases, and I consider it dangerous.

Note that bind can clamp Max ttl but not min ttl, because the latter is controversial.

Paul

nudge <nudgemac at fastmail.fm> wrote:

>On Fri, Apr 19, 2013, at 05:00 PM, P Vixie wrote:
>> I don't think we can know that a low TTL has no reason.
>> 
>> What security problems can you imagine solving with this feature?
>> 
>> Paul
>> 
>
>More privacy than security, but of course it depends where you draw
>that
>line. I've noted some instances where TTLs are purposely kept low
>apparently for tracking or statistical purposes. But anyway I can use
>other less elegant methods to deal with that if necessary.
>
>> nudge <nudgemac at fastmail.fm> wrote:
>> 
>> >Anyone else of the opinion that it would be useful to have a TTL
>> >trigger
>> >for RPZ to make it easy to fix some very low TTLs that exist for no
>> >good
>> >reason ? I imagine it being useful in some other situations also.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130419/0cce1ab3/attachment.htm>


More information about the DNSfirewalls mailing list