[RPZ] DNSRPZ TTL Feature

nudge nudgemac at fastmail.fm
Sat Apr 20 12:38:05 UTC 2013


On Sat, Apr 20, 2013, at 02:25 PM, Emanuele Balla (aka Skull) wrote:
> On 4/20/13 1:04 PM, nudge wrote:
> 
> > Sorry, I never intended that. I was thinking of a situation where
> > clients of a (closed) recursive server make the same query every minute
> > for say an A record that very rarely changes but has a TTL of 60. I
> > could pirate that with RPZ by providing the same A response but with a
> > more reasonable TTL, if I considered that necessary.
> 
> Then hope DNSSEC never comes into play: increasing the TTL of an RRSIG
> beyond the validity of the DNSKEY needed to verify it looks like an
> amazing way of breaking your resolver...

That's determined by how you've set the {yes|no|break-dnssec} option

> There must be a reason why resolvers usually allow you to *decrease* the
> TTL of the records going in the cache , but rarely allow you to increase
> it...

I guess that's true but am curious to know the details

> (BTW, IMHO this has nothing to do with RPZ, in any case...)

If I'm the only one who does, I won't be overly surprised just
disappointed

Thanks



More information about the DNSfirewalls mailing list