[dns-operations] Paranoid mode for resolvers

Jay Daley jay at nzrs.net.nz
Sat Sep 3 00:00:49 UTC 2011

As everyone who works for a registry knows, the effectiveness of domain name takedown to combat a phishing/malware site, diminishes over time as the NS records get cached in more and more resolvers.  While this is recognised in work taking place on fast takedown to minimise the impact, there still isn't a mitigation for those resolvers that cache those NS records before the takedown.

Has anybody come across a resolver that attempts to deal with this, say by re-checking a new (to the resolver) delegation 10, 30, 60, etc minutes afterwards ignoring the TTL until after those checks have passed, assuming the TTL is longer?  Sort of a paranoid mode that operators can configure the resolver to follow.


Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840

More information about the dns-operations mailing list