[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Paul Vixie paul at redbarn.org
Tue Oct 25 21:55:18 UTC 2016



Matthew Pounsett wrote:
> 
> 
> On 24 October 2016 at 18:35, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
> 
> 
>     the current TTL is 32 bits unsigned, and i'd be very happy to see it
>     split into two 16-bit unsigned quantities. TTL longer than 65535 is
>     hardly ever operable.
> 
> 65535 seconds is nowhere near long enough.  Typical TTLs for many record
> types in many zones are 1 or 2 days.  You need at least 18 bits to get that.
> 
> As far as I'm aware, implementations that set a maximum acceptable TTL
> default to 1 day, which requires at least 17 bits.

i think that even www.google.com/a, which holds the record for all time
most popular rrset, would have good amortization of its cache miss costs
if it had an 18-hour reuse period.

especially if it was refreshed every 1.8 hours. you gotta do the math
before you decide that sub-day max-ttl isn't long enough. "for what?"

-- 
P Vixie




More information about the dns-operations mailing list