Hello Sorry, for cross-posting this question. I've posted this question one week ago on http://lists.redbarn.org/mailman/listinfo/dnsfirewalls already but got no answer. So, I try it here as well.
I use BIND 9.9.4 on a caching only resolver and have RPZ enabled. If I do a lookup for any query-name with the query-type ANY, the TTLs of the records in the answer section are always 0. Occasionally, when I repeat the query several times with "+norec" I get the expected answer with the "normal" TTL values of the records. If I disable the RPZ configuration, the 0 TTL behavior disappears and I get the "normal" TTL values of the records again. To me, this looks like a bug. If this is not a bug, I'm wondering what's the use case of this? My RPZ configuration looks like the following: // RPZ response-policy { zone "rpz-test" policy disabled; }; Sample lookup of google.ch where the TTL is 0. 'dig google.ch ANY' ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3303 ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;google.ch. IN ANY ;; ANSWER SECTION: google.ch. 0 IN SOA ns3.google.com. dns-admin.google.com. 1536918 900 900 1800 60 google.ch. 0 IN TXT "v=spf1 -all" google.ch. 0 IN MX 10 aspmx.l.google.com. google.ch. 0 IN MX 40 alt3.aspmx.l.google.com. google.ch. 0 IN MX 50 alt4.aspmx.l.google.com. google.ch. 0 IN MX 20 alt1.aspmx.l.google.com. google.ch. 0 IN MX 30 alt2.aspmx.l.google.com. google.ch. 0 IN AAAA 2a00:1450:400a:806::1018 google.ch. 0 IN A 173.194.116.55 google.ch. 0 IN A 173.194.116.63 google.ch. 0 IN A 173.194.116.56 google.ch. 0 IN NS ns4.google.com. google.ch. 0 IN NS ns1.google.com. google.ch. 0 IN NS ns2.google.com. google.ch. 0 IN NS ns3.google.com. ;; AUTHORITY SECTION: google.ch. 3598 IN NS ns1.google.com. google.ch. 3598 IN NS ns2.google.com. google.ch. 3598 IN NS ns3.google.com. google.ch. 3598 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 172798 IN A 216.239.32.10 ns2.google.com. 172798 IN A 216.239.34.10 ns3.google.com. 172798 IN A 216.239.36.10 ns4.google.com. 172798 IN A 216.239.38.10 Repeating the lookup several times with "+norec" appended sometimes returns the expected answer with "normal" TTL values. 'dig google.ch ANY +norec' ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36418 ;; flags: qr ra; QUERY: 1, ANSWER: 15, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;google.ch. IN ANY ;; ANSWER SECTION: google.ch. 1 IN SOA ns3.google.com. dns-admin.google.com. 1536918 900 900 1800 60 google.ch. 241 IN TXT "v=spf1 -all" google.ch. 541 IN MX 20 alt1.aspmx.l.google.com. google.ch. 541 IN MX 40 alt3.aspmx.l.google.com. google.ch. 541 IN MX 10 aspmx.l.google.com. google.ch. 541 IN MX 30 alt2.aspmx.l.google.com. google.ch. 541 IN MX 50 alt4.aspmx.l.google.com. google.ch. 241 IN AAAA 2a00:1450:400a:806::1018 google.ch. 241 IN A 173.194.116.55 google.ch. 241 IN A 173.194.116.63 google.ch. 241 IN A 173.194.116.56 google.ch. 3541 IN NS ns3.google.com. google.ch. 3541 IN NS ns2.google.com. google.ch. 3541 IN NS ns1.google.com. google.ch. 3541 IN NS ns4.google.com. ;; AUTHORITY SECTION: google.ch. 3541 IN NS ns4.google.com. google.ch. 3541 IN NS ns2.google.com. google.ch. 3541 IN NS ns3.google.com. google.ch. 3541 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 172741 IN A 216.239.32.10 ns2.google.com. 172741 IN A 216.239.34.10 ns3.google.com. 172741 IN A 216.239.36.10 ns4.google.com. 172741 IN A 216.239.38.10 Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users