[dns-operations] Who Ignores TTLs ?
Andrew Sullivan
ajs at shinkuro.com
Thu Feb 17 17:25:57 UTC 2011
On Thu, Feb 17, 2011 at 12:21:11PM +1000, George Michaelson wrote:
> At a presentation held by CNNIC during IETF, CNNIC demonstrated research s/w aimed at on-the-fly adjustment of TTL to enhance cache retention behaviours.
>
> I have some concerns about the probity of this kind of change, and how it could work under DNSSEC, but I would say this is well beyond urban legend: some large DNS providers are actively considering playing with the DNS TTL in order to manage traffic flows.
>
> I believe the intention is to mitigate ddos.
There's actually a draft floating around to specify this. It's fairly
carefully targetted. I do kind of hate it, but I see the point of it.
The idea is beguiling. The technique is to be used if and only if all
of the following are true: you are an interative resolver with a
cache, and you have a cached item that is expiring, and you find that
you cannot contact any of the authority servers for the domain at all.
In such a case, you may opt to extend the life of the soon-to-expire
cached entry up to some length, the details of which are still
unsettled, I think, but likely the minimum of the original TTL on the
RRset or the negative TTL for the zone.
The idea here is to eliminate the case where a domain whose servers
are not responding because of overload gets even more overloaded
because everyone's cache has expired, and they keep asking over and
over again.
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the dns-operations
mailing list