On 11 Feb 2018, at 9:54 (-0500), Benny Pedersen wrote:
first query would be valid for 300 secs, but that is imho still not
free, problem is that keeping low ttls does not change how dns works,
any auth dns servers will upate on soa serial anyway, the crime comes
in when sa using remote dns servers that ignore soa serial updates
in that case ttls would keep spammers listed for 300 secs only
That's not how DNS TTLs work.
When a record's TTL elapses in the local name cache, it is dropped. The
next query for that name and record type causes the resolver to make
another query to the authoritative nameservers, which will return the
same record whose TTL expired unless it has been removed from the zone.
No standards-conforming DNS resolver returns NXDOMAIN based on the lack
of a non-expired record in its cache and an unchanged SOA serial above
the name. That would make no sense at all and require many more SOA
queries than actually happen.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
