Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: fwd: Re: [registrars] Re: hijacked

  • From: Joe Maimon
  • Date: Mon Jan 17 14:39:46 2005

Steven M. Bellovin wrote:

In message <>, "william(
at)" writes:

On Sun, 16 Jan 2005, Joe Maimon wrote:

Thus justifying those who load their NS and corresponding NS's A records with nice long TTL

Although this wasn't a problem in this case (hijacker did not appear to have been interested in controlling dns since it points to default domain
registration and under construction page), but long TTL trick could be used by hijackers - i.e. he gets some very popular domain, changes dns to the one he controls and purposely sets long TTL. Now even if registrars are able to act quickly and change registration back, those who cached new
dns data would keep it for quite long in their cache.

Many versions of bind have a parameter that caps TTLs to some rational maximum value -- by default in bind9, 3 hours. Unfortunately, the documentation suggests that the purpose of the max-ncache-ttl parameter is to let you increase the cap, in order to improve performance and decrease network traffic.
The suggestion that someone made the other day -- that the TTL on zones be ramped up gradually by the registries after creation or transfer -- is, I think, a good one.

--Prof. Steven M. Bellovin,

From bv9ARM


   To reduce network traffic and increase performance the server stores
   negative answers. *max-ncache-ttl* is used to set a maximum
   retention time for these answers in the server in seconds. The
   default *max-ncache-ttl* is 10800 seconds (3 hours).
   *max-ncache-ttl* cannot exceed 7 days and will be silently truncated
   to 7 days if set to a greater value.


   *max-cache-ttl* sets the maximum time for which the server will
   cache ordinary (positive) answers. The default is one week (7 days).

So loading TTL's to longer than 7 days will have diminishing returns.
Is this really such a good thing?


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.