Emanuele Balla (aka Skull) skull at bofhland.org
Sat Apr 20 12:25:55 UTC 2013

On 4/20/13 1:04 PM, nudge wrote:

> Sorry, I never intended that. I was thinking of a situation where
> clients of a (closed) recursive server make the same query every minute
> for say an A record that very rarely changes but has a TTL of 60. I
> could pirate that with RPZ by providing the same A response but with a
> more reasonable TTL, if I considered that necessary.

Then hope DNSSEC never comes into play: increasing the TTL of an RRSIG
beyond the validity of the DNSKEY needed to verify it looks like an
amazing way of breaking your resolver...

There must be a reason why resolvers usually allow you to *decrease* the
TTL of the records going in the cache , but rarely allow you to increase

(BTW, IMHO this has nothing to do with RPZ, in any case...)

More information about the DNSfirewalls mailing list