North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: fwd: Re: [registrars] Re: panix.com hijacked
- From: Joe Maimon
- Date: Mon Jan 17 14:39:46 2005
Steven M. Bellovin wrote:
In message <Pine.LNX.firstname.lastname@example.org>, "william(
On Sun, 16 Jan 2005, Joe Maimon wrote:
Many versions of bind have a parameter that caps TTLs to some rational
maximum value -- by default in bind9, 3 hours. Unfortunately, the
documentation suggests that the purpose of the max-ncache-ttl parameter
is to let you increase the cap, in order to improve performance and
decrease network traffic.
Thus justifying those who load their NS and corresponding NS's A records
with nice long TTLAlthough this wasn't a problem in this case (hijacker did not appear to
have been interested in controlling dns since it points to default domain
registration and under construction page), but long TTL trick could be
used by hijackers - i.e. he gets some very popular domain, changes dns to
the one he controls and purposely sets long TTL. Now even if registrars
are able to act quickly and change registration back, those who cached new
dns data would keep it for quite long in their cache.
The suggestion that someone made the other day -- that the TTL on zones
be ramped up gradually by the registries after creation or transfer --
is, I think, a good one.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
To reduce network traffic and increase performance the server stores
negative answers. *max-ncache-ttl* is used to set a maximum
retention time for these answers in the server in seconds. The
default *max-ncache-ttl* is 10800 seconds (3 hours).
*max-ncache-ttl* cannot exceed 7 days and will be silently truncated
to 7 days if set to a greater value.
*max-cache-ttl* sets the maximum time for which the server will
cache ordinary (positive) answers. The default is one week (7 days).
So loading TTL's to longer than 7 days will have diminishing returns.
Is this really such a good thing?