On 9/2/12 21:38 , Casey Deccio wrote: > > Is it because the resolver, even if sticky, re-queries the parent when > the negative TTL of the (missing) DS records ends? And chokes when it > receives back a NXDOMAIN? > > > Actually, what I have observed in my limited testing is that the > resolver re-queries the parent after the TTL of the NS RRset in the > parent, not the negative TTL of the parent. Upon receiving a NXDOMAIN > response, it passes that along to the client.
This is what I saw as well, but if the NS rrset is queried explicitly then the authoritative data from the child (with its TTL) overrides the cache with the parent's TTL, just as described in the 'vulnerability'. However, with dnssec-validation enabled, this happens only once - so if that TTL expires the parent is asked again. So the maximal exposure to a removed delegation with a validating bind resolver would be TTL(NS)+TTL(RR), under very favorable conditions. This could be a long time, but it's not forever. Best, Gilles .lu _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
