[dns-operations] I want a pony^H^H^H^H^H^Hto change the TTL (Was: TLD glue sticks around too long

Mike Jones mike at mikejones.in
Wed Dec 7 13:07:50 UTC 2016


On 5 December 2016 at 17:22, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> https://blog.cloudflare.com/tld-glue-sticks-around-too-long/
>
> Strange to present it as one of the biggest problems when mitigating
> the dDoS. After all, glue records is only for in-zone data, most
> domains have little or no glue.
>
> Also, since the resolver uses the TTL from the zone (which is
> authoritative), why worrying about the TTL from the parent? On my
> Unbound, I do get the authoritative ultra-short TTL:
>
> % dig ns1.cloudflare.net
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> ns1.cloudflare.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27418
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ns1.cloudflare.net.    IN A
>
> ;; ANSWER SECTION:
> ns1.cloudflare.net.     900 IN A 173.245.59.31
> ns1.cloudflare.net.     900 IN RRSIG A 13 3 900 (
>                                 20161206182041 20161204162041 35273 cloudflare.net.
>                                 hYHtruVFvzKIOUZoBY8xiMNwQLBqygAJBtWlUdXs0f03
>                                 2wjzxJVatGbqs66WSFNinqg6wBq5t78flybJj/J3Eg== )
>
> ;; Query time: 125 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Dec 05 18:20:41 CET 2016
> ;; MSG SIZE  rcvd: 173


I've had a thought that is probably relevant to this thread.

If you are using a validating resolver, the behaviour of going back to
the parent has already been changed. The TTL of a DS record in com is
24 hours, compared to the NS record being 48 hours. For uk the DS
record has a 1 hour TTL compared to 48 hours for the NS record.

1 hour to update signing keys, 48 hours to update NS records.
Something smells wrong here.

- Mike



More information about the dns-operations mailing list