如何让 BIND (DNS) 对 tld 具有超过一分钟的权威

我尝试.zip使用bind 阻止我的笔记本电脑（运行fedora 38）上的TLD。

1. 安装绑定

2. 更新中named.conf：

   options {
       listen-on port 53 { 127.0.0.1; };
       listen-on-v6 port 53 { ::1; };
       directory   "/var/named";
       dump-file   "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       secroots-file   "/var/named/data/named.secroots";
       recursing-file  "/var/named/data/named.recursing";
       allow-query     { localhost; };
   
       /* 
       - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
       - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
       - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
       */
       recursion yes;
   
       forwarders { 8.8.8.8; };
   
       dnssec-validation yes;
   
       managed-keys-directory "/var/named/dynamic";
       geoip-directory "/usr/share/GeoIP";
   
       pid-file "/run/named/named.pid";
       session-keyfile "/run/named/session.key";
   
       /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
       include "/etc/crypto-policies/back-ends/bind.config";
   
       /* this makes it block everything */
       // response-policy { zone "zip"; };
   };
   
   logging {
           channel default_debug {
                   file "data/named.run";
                   severity dynamic;
           };
   };
   
   zone "zip" IN {
       type master;
       file "zip-rpz";
       allow-update { none; };
   };
   
   zone "." IN {
       type hint;
       file "named.ca";
   };
   
   include "/etc/named.rfc1912.zones";
   include "/etc/named.root.key";
   

3. 添加/var/named/zip-rpz：

   $TTL 1D                ; default expiration time (in seconds) of all RRs without their own TTL value
   @       IN  SOA   ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 )
   @       IN      NS      ns1                    ; nameserver
   *       IN      A       127.0.0.1              ; localhost
           IN      AAAA    ::                     ; localhost
   

4. 暂时申请

   sudo systemctl enable named
   sudo service named restart
   resolvectl dns wlp0s20f3 127.0.0.1
   

然而，运行dig url.zip仅在下一分钟左右返回 127.0.0.1 – 之后它显示“正确”的 IP（我可以再次在浏览器中访问该站点）。为什么会被重置？

如果我删除该forwarders行，结果相同。

如果我设置了recursion no;，我将无法解决任何问题其他比 .zip 网址（指向 127.0.0.1）