[dns-operations] Paranoid mode for resolvers
olaf at NLnetLabs.nl
Mon Sep 5 10:10:07 UTC 2011
On Sep 3, 2011, at 2:00 AM, Jay Daley wrote:
> As everyone who works for a registry knows, the effectiveness of domain name takedown to combat a phishing/malware site, diminishes over time as the NS records get cached in more and more resolvers. While this is recognised in work taking place on fast takedown to minimise the impact, there still isn't a mitigation for those resolvers that cache those NS records before the takedown.
> Has anybody come across a resolver that attempts to deal with this, say by re-checking a new (to the resolver) delegation 10, 30, 60, etc minutes afterwards ignoring the TTL until after those checks have passed, assuming the TTL is longer? Sort of a paranoid mode that operators can configure the resolver to follow.
I do not know of such resolvers.
I do know that Unbound tops of TTLs at 24hrs (per default) so 'damage' only lasts for a day even if the NS TTL is set to e.g. a week.
My first thought when reading this, and speculating on whether you would want to implement such mechanism, is that recursive nameservers might not be the best place. Regulations that say that 'take down' should be in effect in 'X hours' are typically bound to the locality of the registry and such timings should be signaled by the authorities.
As often with first thoughts, I am probably missing some aspects of this problem space.
Olaf M. Kolkman NLnet Labs
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2210 bytes
Desc: not available
More information about the dns-operations