[dns-operations] Who Ignores TTLs ?

Andrew Sullivan ajs at shinkuro.com
Thu Feb 17 17:25:57 UTC 2011

On Thu, Feb 17, 2011 at 12:21:11PM +1000, George Michaelson wrote:
> At a presentation held by CNNIC during IETF, CNNIC demonstrated research s/w aimed at on-the-fly adjustment of TTL to enhance cache retention behaviours.
> I have some concerns about the probity of this kind of change, and how it could work under DNSSEC, but I would say this is well beyond urban legend: some large DNS providers are actively considering playing with the DNS TTL in order to manage traffic flows.
> I believe the intention is to mitigate ddos.

There's actually a draft floating around to specify this.  It's fairly
carefully targetted.  I do kind of hate it, but I see the point of it.

The idea is beguiling.  The technique is to be used if and only if all
of the following are true: you are an interative resolver with a
cache, and you have a cached item that is expiring, and you find that
you cannot contact any of the authority servers for the domain at all.
In such a case, you may opt to extend the life of the soon-to-expire
cached entry up to some length, the details of which are still
unsettled, I think, but likely the minimum of the original TTL on the
RRset or the negative TTL for the zone.  

The idea here is to eliminate the case where a domain whose servers
are not responding because of overload gets even more overloaded
because everyone's cache has expired, and they keep asking over and
over again.


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list