On 08/06/16 07:23, Bill Cole wrote: > postconf(5) says: > > postscreen_dnsbl_min_ttl (default: 60s) > > So by default, postscreen will not query dnsblog regarding a specific > address and DNSBL for 60 seconds after dnsblog has returned a TTL in the > 0-60 range for that address and DNSBL.
Correct. I missed your point earlier. There is certainly up to a 60 second window by default here. This could be shortened to a minimum of one second by changing the above mentioned setting if it becomes an issue (it hasn't yet for me, but if it did I think lowering this setting would be the better way to deal with it). I'm not sure if you could set it to not cache at all since the docs say that it requires a "non-zero time value". > The issue of what dnsblog returns for various types of DNS query > outcomes is more subtle than it may seem, since some DNSBLs (e.g. the > MailSpike lists) do not publish authoritative SOA or NS records in the > root zone of their DNSBLs but do publish NS delegation records in the > parent zone. Which violates RFC 2308: Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. > As a result, NXDOMAIN and NOERR/NODATA replies for > non-listed addresses provide no basis for any particular TTL being > applied to an explicitly negative reply from lists run that way. ... The next sentence in RFC 2308 supplies a hint as to what should be done in this case: This is required so that the response may be cached. ...so you should not attempt to cache a negative response that does not include an SOA record, because that record is "required" to be able to cache it. dnsblog(8) correctly does this by returning a -1 response, but postscreen(8) will still cache that negative response for postscreen_dnsbl_min_ttl seconds which I suppose violates the RFC here, I'm not sure if that's the best course of action or not in this case, but it's the course that has be chosen by default. Peter
