[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Paul Vixie
paul at redbarn.org
Tue Oct 25 21:55:18 UTC 2016
Matthew Pounsett wrote:
>
>
> On 24 October 2016 at 18:35, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
>
>
> the current TTL is 32 bits unsigned, and i'd be very happy to see it
> split into two 16-bit unsigned quantities. TTL longer than 65535 is
> hardly ever operable.
>
> 65535 seconds is nowhere near long enough. Typical TTLs for many record
> types in many zones are 1 or 2 days. You need at least 18 bits to get that.
>
> As far as I'm aware, implementations that set a maximum acceptable TTL
> default to 1 day, which requires at least 17 bits.
i think that even www.google.com/a, which holds the record for all time
most popular rrset, would have good amortization of its cache miss costs
if it had an 18-hour reuse period.
especially if it was refreshed every 1.8 hours. you gotta do the math
before you decide that sub-day max-ttl isn't long enough. "for what?"
--
P Vixie
More information about the dns-operations
mailing list