When I configure BIND with response policy zone so I can override DNS for LAN network I have noticed that TTL returned by this DNS servers max out at 5 seconds. I can lower TTL to 1-4 seconds but setting anything higher than 5 will just stay at 5 seconds. (I tried setting both $TTL 3600 & inline eg. testdns.domanin.net 3600 IN A x.x.x.x)
I have noticed this originally on my pfsense box configured with BIND but then I setup another test server under Ubuntu and exactly same happens also over there.
My configuration is based on https://deteque.com/m3aawg-bind-training/ which is mentioned in this document https://www.isc.org/docs/BIND_RPZ.pdf
I spend significant time testing different setting and although DNS returns correct records TTL times are wrong as stated above and for my purpose 5 seconds is really not usable.
Only configuration which in my knowledge is able to limit TTL is max-zone-ttl but that is only applicable in combination with DNSSEC (https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-max-zone-ttl)
This affects in my case both version 9.16 & 9.18.
Is there something I missing or is this some sort of undocumented RPZ limitation?
Thank You to anyone who can shed some light into this.
