In message <20140127182300.13609.qm...@joyce.lan>, "John Levine" writes: > A friend (really) asks this question: they have some DNSBLs, which get > a lot of queries. Sometimes the answer has A or TXT records, meaning > the corresponding address is listed in the DNSBL, sometimes it's > NXDOMAIN which means the address isn't. > > For addresses that aren't listed, some of the NXDOMAINs are a lot less > likely to change than others, e.g, the address of an outbound mail > server at a large mail provider is unlikely ever to be listed, but a > random host at a hosting provider in India, who knows. So he'd like > to have the TTLs on some of those NXDOMAINs be longer than others, by > putting a different TTL in the SOA in the authority section. > > The DNS server isn't BIND, coding this up is easy enough. The question > is what's likely to break at the other end.
Nothing. > Question: what will BIND's cache do if there are inconsistent SOAs for > NXDOMAINS in the same zone? Nothing. Negative cache entries are independent of each other. > Bonus question: how does this answer change if we ever do DNSSEC? > (Since the server alrady generates the RRs on the fly, you can assume > it will do online signing.) Just generate the RRSIG's using the largest TTL as the original ttl. You can always send smaller TTL values as that is what you get when talking to other caches. > TIA and all that, > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
