[dns-operations] Paranoid mode for resolvers
ogud at ogud.com
Tue Sep 6 17:19:37 UTC 2011
On 9/2/2011 8:00 PM, Jay Daley wrote:
> As everyone who works for a registry knows, the effectiveness of domain name takedown to combat a phishing/malware site, diminishes over time as the NS records get cached in more and more resolvers. While this is recognised in work taking place on fast takedown to minimise the impact, there still isn't a mitigation for those resolvers that cache those NS records before the takedown.
for every simple question there is a long and complicated answer.
At a delegation there are two NS sets, the parent one and the child one,
depending on which resolver (or version of the resolver) is in use, or
if the child authoritative server has minimal-response set.
In the case of the resolver using the Parent side NS set the TTL you set
tells the resolver how often to refresh information about the delegation
===> if you want to enable fast takedown lower your (.NZ) TTL to
something that is acceptable to your regulator and will not cause your
authoritative servers to be overrun.
As for the resolvers that use the child side NS set all bets are off,
unless you place a requirement that the NS set from the child has to be
revalidated every parent side TTL and if the NS set has changed all
information at and below delegation is purged.
Take a look at draft res-improve that wants place this requirement into
The short answer is lower your TLD's TTL to 1-4 hours
> Has anybody come across a resolver that attempts to deal with this, say by re-checking a new (to the resolver) delegation 10, 30, 60, etc minutes afterwards ignoring the TTL until after those checks have passed, assuming the TTL is longer? Sort of a paranoid mode that operators can configure the resolver to follow.
If I saw a resolver that doing something like this I would stop using it
for performance reasons.
Just imagine the effect on root servers you are proposing increasing the
real traffic to them by 140x (10 minutes rechecking). (actual increase
will be less, as majority of the traffic is junk).
Resolvers should respect reasonable TTL's, capping how long data is kept
More information about the dns-operations