[dns-operations] Maximum TTL limits on public resolvers

Hugo Salgado hsalgado at nic.cl
Mon Nov 15 15:17:22 UTC 2021


On 19:29 13/11, Sadiq Saif wrote:
> Hi all,
> 
> While doing some checks on records in my zones I noticed that two public resolvers limit maximum TTL values. Google Public DNS limits to six hours and Quad9 limits to twelve hours. I tested this with a freshly created A record to forgo the possibility of caching. The actual TTL of the record at the authoritative servers is twenty four hours.
> 
> What is the technical or other reason(s) for such TTL limiting?
> 

There are risks with excessively long TTL, for example, it is used as
a technique when hijacking or poison a domain, to keep the fake record
as much as possible in caches. For the same reason, I believe that
each resolver has a tradeoff to deal with.

The TTL indicates the maximum time for which I have the right to save
a record. Nothing prevents you from consulting it again before, which
would be the same effect of removing a little-used record from the hot
cache before its expiration.

Hugo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211115/2529d6c1/attachment.sig>


More information about the dns-operations mailing list