On 6 Jun 2016, at 16:51, Peter wrote:
On 07/06/16 01:07, Bill Cole wrote:
4. The resolver cache honors (as most do) a DNSBL's negative cache
TTL
which is less than 60 seconds, e.g. Spamcop (0 seconds) or the
various
Spamhaus lists (10) and others.
postscreen (specifically dnsblog(8)) honors this as well, but it's not
made entirely clear in the docs.
postconf(5) says:
postscreen_dnsbl_min_ttl (default: 60s)
The minimum amount of time that postscreen(8) will use the
result from a successful
DNS-based reputation test before a client IP address is required
to pass that test again. If
the DNS reply specifies a larger TTL value, that value will be
used unless it would be
larger than postscreen_dnsbl_max_ttl.
So by default, postscreen will not query dnsblog regarding a specific
address and DNSBL for 60 seconds after dnsblog has returned a TTL in the
0-60 range for that address and DNSBL.
The issue of what dnsblog returns for various types of DNS query
outcomes is more subtle than it may seem, since some DNSBLs (e.g. the
MailSpike lists) do not publish authoritative SOA or NS records in the
root zone of their DNSBLs but do publish NS delegation records in the
parent zone. As a result, NXDOMAIN and NOERR/NODATA replies for
non-listed addresses provide no basis for any particular TTL being
applied to an explicitly negative reply from lists run that way.
