Thank you for all the good responses. While I am unsure if Chrisoph's question was answered, I now understand why most everyone thinks it is a bad idea to over-ride the TTL for records I am not authoritive for:
1) It's not RFC compliant for the protocol 2) Changing it could potentially increase load on the DNS servers for other domains 3) It's bad manners. So, that being said, can anyone suggest an alternative to my issue? Currently, we use DNS to blackhole bad domains. The list of bad domains are provided to us from another government entity or vetted by an enterprise security team. The servers I manage are the DNS servers of last resort for our internal clients before hitting up root. However, they are not the only DNS servers available to the clients - there are several hundred internal servers, mostly windows servers, that handle client queries. I have no control over them. So, when I add new domains to my block list, I am at the mercy of the bad domain's TTL. I have had DNS cache thwarting my ability to block the bad domain, sometimes for several days. Basically, I want to make the block occur within a couple of hours after implementation - hence setting the max-cache-ttl. I realize that there are other ways of to do this, but I am limited by my funding. Thanks, Brian _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
