minimum cache times?
Atkins, Brian (GD/VA-NSOC)
Brian.Atkins2 at va.gov
Tue Oct 5 17:46:30 UTC 2010
Thank you for all the good responses.
While I am unsure if Chrisoph's question was answered, I now understand
why most everyone thinks it is a bad idea to over-ride the TTL for
records I am not authoritive for:
1) It's not RFC compliant for the protocol
2) Changing it could potentially increase load on the DNS servers for
other domains
3) It's bad manners.
So, that being said, can anyone suggest an alternative to my issue?
Currently, we use DNS to blackhole bad domains. The list of bad domains
are provided to us from another government entity or vetted by an
enterprise security team.
The servers I manage are the DNS servers of last resort for our internal
clients before hitting up root. However, they are not the only DNS
servers available to the clients - there are several hundred internal
servers, mostly windows servers, that handle client queries. I have no
control over them.
So, when I add new domains to my block list, I am at the mercy of the
bad domain's TTL. I have had DNS cache thwarting my ability to block the
bad domain, sometimes for several days.
Basically, I want to make the block occur within a couple of hours after
implementation - hence setting the max-cache-ttl.
I realize that there are other ways of to do this, but I am limited by
my funding.
Thanks,
Brian
More information about the bind-users
mailing list