[RPZ] DNSRPZ TTL Feature
vjs at rhyolite.com
Fri Apr 19 18:40:23 UTC 2013
(about very low TTLs considered evil)
Can a recursive server receive a record with a low TTL when
the nominal authority is really a slave to a stealth master?
> More privacy than security, but of course it depends where you draw that
I think the distinction between security and privacy is clear,
although the same data can raise both kinds of issues.
> I've noted some instances where TTLs are purposely kept low
> apparently for tracking or statistical purposes.
I don't think the use of small TTLs for fast flux can be excused
for on either "tracking" or "statistical" grounds.
I think I've heard of still other reasons for tiny TTLs that
are none of the above.
An RPZ trigger for small TTLs does not make sense to me, because
no reasonable person would say "All RRs with TTLs smaller than X
are all evil until further notice." On the other hand, RPZ name
and IP triggers have a reasonable person maintaining a response
policy zone saying "This name or IP address is evil."
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls