[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Mark Andrews
marka at isc.org
Mon Oct 24 23:01:48 UTC 2016
In message <580E8CC5.9010909 at redbarn.org>, Paul Vixie writes:
>
>
> Damian Menscher wrote:
> > many domain names or rrsets need badly to be taken down, for the good of
> > the internet. this "use stale data at ttl=0" is exquisitely wrong
> > headed.
> >
> >
> > It seems like we actually need two different TTLs:
> > - how long before we want the client to refresh their cache:
> > O(seconds/minutes) for agility
> > - how long we want the client to remember our latest answer:
> > O(hours/days) for availability
> >
> > Is there anything in the protocol today that would support this, or is
> > there interest in adding it?
>
> this is dns-operations@, where questions of this nature aren't on-topic.
> however, i'll bite:
>
> the current TTL is 32 bits unsigned, and i'd be very happy to see it
> split into two 16-bit unsigned quantities. TTL longer than 65535 is
> hardly ever operable.
65535 is ~18 hours which is way too small for max retension.
A 19/13 split could work. A couple of hours for newness and nearly
a week for max retention.
2^13/3600
2
2^14/3600
4
2^15/3600
9
2^16/3600
18
2^17/3600
36
2^18/3600
72
2^19/3600
145
> the SOA MINIMUM is currently almost this, but only for negative answers.
> expanding it to be used for positive answers as well could be done
> without a wire-change.
>
> --
> P Vixie
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list