* John Levine: > Since the TTL on a negative cache entry comes from the TTL on the SOA > returned with the NXDOMAIN, this means that they'll be returning SOAs > with different TTLs on different responses. This strikes me as > something that's not technically illegal, but that people who write > DNS caches didn't anticipate. Is it likely to break anything? > > Bonus question: with DNSSEC, a cache can use NSEC info to synthesize > NXDOMAIN responses for nearby addresses. Will inconsistent TTLs break > anything then?
You can avoid both issues by introducing sub-zones for the network ranges which should receive longer TTLs. In the non-DNSSEC case, you can simply return a SOA record whose owner name is the full QNAME. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
