[dns-operations] I want a pony^H^H^H^H^H^Hto change the TTL (Was: TLD glue sticks around too long
mike at mikejones.in
Wed Dec 7 13:07:50 UTC 2016
On 5 December 2016 at 17:22, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> Strange to present it as one of the biggest problems when mitigating
> the dDoS. After all, glue records is only for in-zone data, most
> domains have little or no glue.
> Also, since the resolver uses the TTL from the zone (which is
> authoritative), why worrying about the TTL from the parent? On my
> Unbound, I do get the authoritative ultra-short TTL:
> % dig ns1.cloudflare.net
> ; <<>> DiG 9.10.3-P4-Debian <<>> ns1.cloudflare.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27418
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ns1.cloudflare.net. IN A
> ;; ANSWER SECTION:
> ns1.cloudflare.net. 900 IN A 184.108.40.206
> ns1.cloudflare.net. 900 IN RRSIG A 13 3 900 (
> 20161206182041 20161204162041 35273 cloudflare.net.
> 2wjzxJVatGbqs66WSFNinqg6wBq5t78flybJj/J3Eg== )
> ;; Query time: 125 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Dec 05 18:20:41 CET 2016
> ;; MSG SIZE rcvd: 173
I've had a thought that is probably relevant to this thread.
If you are using a validating resolver, the behaviour of going back to
the parent has already been changed. The TTL of a DS record in com is
24 hours, compared to the NS record being 48 hours. For uk the DS
record has a 1 hour TTL compared to 48 hours for the NS record.
1 hour to update signing keys, 48 hours to update NS records.
Something smells wrong here.
More information about the dns-operations