[RPZ] DNSRPZ TTL Feature
Emanuele Balla (aka Skull)
skull at bofhland.org
Sat Apr 20 12:25:55 UTC 2013
On 4/20/13 1:04 PM, nudge wrote:
> Sorry, I never intended that. I was thinking of a situation where
> clients of a (closed) recursive server make the same query every minute
> for say an A record that very rarely changes but has a TTL of 60. I
> could pirate that with RPZ by providing the same A response but with a
> more reasonable TTL, if I considered that necessary.
Then hope DNSSEC never comes into play: increasing the TTL of an RRSIG
beyond the validity of the DNSKEY needed to verify it looks like an
amazing way of breaking your resolver...
There must be a reason why resolvers usually allow you to *decrease* the
TTL of the records going in the cache , but rarely allow you to increase
it...
(BTW, IMHO this has nothing to do with RPZ, in any case...)
More information about the DNSfirewalls
mailing list