[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Paul Vixie paul at redbarn.org
Tue Dec 30 20:24:19 UTC 2014



> David C Lawrence <mailto:tale at akamai.com>
> Tuesday, December 30, 2014 11:54 AM
> Paul Vixie writes:
>
>> violating other people's reasonable assumptions meanwhile shouldn't
>> be an option.
>
> For what it's worth, the "TTLs are inviolable" ship sailed long ago.
> Both ends of the TTL are already monkeyed with by local policy across
> the Internet.  BIND has had max-cache-ttl for a very long time.

TTL is the longest you can keep something. keeping it for less time than
that is not just allowed, it's expected, either due to cache
replacement, or restart, or local policy. that's not "monkeying" in the
way i think you mean it.

on the other hand the min-cache-ttl which BIND also had (in BIND8) was
"monkeying" since it placed a hard five minute floor on how long
information could be held. i regretted this and BIND9 does not have it.

> Web
> browsers similarly for a very long time have kept local caches with
> minimum TTLs that the vast majority of people are not even aware.
my web browser (chrome, at the moment) does not keep information longer
than my authority TTL's, but i admit that i am not a CDN and none of my
TTL's are less than 30 seconds. it may be that if you want five seconds
you can't get it, but i wouldn't be seeing that here.
>
>> see also: [2]<http://queue.acm.org/detail.cfm?id=1242499>.
>
> Great article.  Thanks for writing it.

i'd love to see you write the next chapter of that story, giving the CDN
perspective.

see also:
<http://cacm.acm.org/magazines/2009/12/52835-what-dns-is-not/fulltext>

-- 
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141230/44f1bdfe/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141230/44f1bdfe/attachment.jpg>


More information about the dns-operations mailing list