[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Paul Vixie paul at redbarn.org
Mon Oct 24 22:35:49 UTC 2016

Damian Menscher wrote:
>     many domain names or rrsets need badly to be taken down, for the good of
>     the internet. this "use stale data at ttl=0" is exquisitely wrong
>     headed.
> It seems like we actually need two different TTLs:
>   - how long before we want the client to refresh their cache:
> O(seconds/minutes) for agility
>   - how long we want the client to remember our latest answer:
> O(hours/days) for availability
> Is there anything in the protocol today that would support this, or is
> there interest in adding it?

this is dns-operations@, where questions of this nature aren't on-topic.
however, i'll bite:

the current TTL is 32 bits unsigned, and i'd be very happy to see it
split into two 16-bit unsigned quantities. TTL longer than 65535 is
hardly ever operable.

the SOA MINIMUM is currently almost this, but only for negative answers.
expanding it to be used for positive answers as well could be done
without a wire-change.

P Vixie

More information about the dns-operations mailing list