> If postscreen_dnsbl_ttl or postscreen_dnsbl_min_ttl is 3600 (1 hour) but > the minimum TTL field of the DNSBL's SOA record is 10 (as it is for the > SBL) then postscreen will cache the lack of a DNSBL entry for as much as > 59 minutes and 50 seconds longer than a proper caching resolver, which > will keep the negative response for 10 seconds at most (unless it's an > older Microsoft DNS server or a broken Unbound instance that has been > given a minimum TTL...)
Right. As I mentioned, I understand that part. My question was about v3.1+ where the default for postscreen_dnsbl_min_ttl is only 60s. And, as I understand it, the defaults for v3.1 would cause both the postscreen cache ttl and the system resolver's cache ttl to be based on the same ttl from the actual DNSBL record, thus rendering the same result for both, and the same timeout for both. Unless I've got that wrong, no need to respond. > > Also, for pre v3.1 users, is there a best practice recommended value > > for > > postscreen_dnsbl_ttl that is better than the default of 1 hour? > > I cannot tell you who you are... :) Of course not. But we can all learn from the experience and reasoning of others. What you're doing doesn't necessarily apply to what I need. But your willingness to explain both what you did and WHY you did it helps me to understand the choices and consequences that I might also need to consider. VERY helpful. > However, for almost everyone, an hour is too long. [clipped] O.K. Your description helped verify that my own reasoning was on the right track. Thanks again for taking the time to explain. Michael
