The easier way to mitigation is to enable dnssec validation on the
resolver (which is a good thing anyway). From my tests this changes the
behaviour of bind in so far that it respects the TTL of the NS set
rather strictly, and returns to the parent on expiry.

Looks like the most efficient long-term fix to me...

Best,
Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to