[dns-operations] Paranoid mode for resolvers

Olafur Gudmundsson ogud at ogud.com
Tue Sep 6 17:19:37 UTC 2011 

On 9/2/2011 8:00 PM, Jay Daley wrote:
> As everyone who works for a registry knows, the effectiveness of domain name takedown to combat a phishing/malware site, diminishes over time as the NS records get cached in more and more resolvers.  While this is recognised in work taking place on fast takedown to minimise the impact, there still isn't a mitigation for those resolvers that cache those NS records before the takedown.
>

Jay,
for every simple question there is a long and complicated answer.
At a delegation there are two NS sets, the parent one and the child one, 
depending on which resolver (or version of the resolver) is in use, or 
if the child authoritative server has minimal-response set.

In the case of the resolver using the Parent side NS set the TTL you set 
tells the resolver how often to refresh information about the delegation 
===> if you want to enable fast takedown lower your (.NZ) TTL to 
something that is acceptable to your regulator and will not cause your 
authoritative servers to be overrun.

As for the resolvers that use the child side NS set all bets are off, 
unless you place a requirement that the NS set from the child has to be 
revalidated every parent side TTL and if the NS set has changed all 
information at and below delegation is purged.
Take a look at draft res-improve that wants place this requirement into 
the resolvers.

The short answer is lower your TLD's TTL to 1-4 hours


> Has anybody come across a resolver that attempts to deal with this, say by re-checking a new (to the resolver) delegation 10, 30, 60, etc minutes afterwards ignoring the TTL until after those checks have passed, assuming the TTL is longer?  Sort of a paranoid mode that operators can configure the resolver to follow.

If I saw a resolver that doing something like this I would stop using it 
for performance reasons.
Just imagine the effect on root servers you are proposing increasing the 
real traffic to them by 140x (10 minutes rechecking). (actual increase 
will be less, as majority of the traffic is junk).

Resolvers should respect reasonable TTL's, capping how long data is kept 
is fine.

	Olafur

More information about the dns-operations mailing list