[dns-operations] Who Ignores TTLs ?

Andrew Sullivan ajs at shinkuro.com
Thu Feb 17 17:25:57 UTC 2011


On Thu, Feb 17, 2011 at 12:21:11PM +1000, George Michaelson wrote:
> At a presentation held by CNNIC during IETF, CNNIC demonstrated research s/w aimed at on-the-fly adjustment of TTL to enhance cache retention behaviours.
> 
> I have some concerns about the probity of this kind of change, and how it could work under DNSSEC, but I would say this is well beyond urban legend: some large DNS providers are actively considering playing with the DNS TTL in order to manage traffic flows.
> 
> I believe the intention is to mitigate ddos.

There's actually a draft floating around to specify this.  It's fairly
carefully targetted.  I do kind of hate it, but I see the point of it.

The idea is beguiling.  The technique is to be used if and only if all
of the following are true: you are an interative resolver with a
cache, and you have a cached item that is expiring, and you find that
you cannot contact any of the authority servers for the domain at all.
In such a case, you may opt to extend the life of the soon-to-expire
cached entry up to some length, the details of which are still
unsettled, I think, but likely the minimum of the original TTL on the
RRset or the negative TTL for the zone.  

The idea here is to eliminate the case where a domain whose servers
are not responding because of overload gets even more overloaded
because everyone's cache has expired, and they keep asking over and
over again.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list