Steven M. Bellovin wrote:
In message <Pine.LNX.4.44.0501161225210.11207-100000@sokol.elan.net>, "william( at)elan.net" writes:
On Sun, 16 Jan 2005, Joe Maimon wrote:
Thus justifying those who load their NS and corresponding NS's A records with nice long TTL
Although this wasn't a problem in this case (hijacker did not appear to have been interested in controlling dns since it points to default domain registration and under construction page), but long TTL trick could be used by hijackers - i.e. he gets some very popular domain, changes dns to the one he controls and purposely sets long TTL. Now even if registrars are able to act quickly and change registration back, those who cached new dns data would keep it for quite long in their cache.
Many versions of bind have a parameter that caps TTLs to some rational maximum value -- by default in bind9, 3 hours. Unfortunately, the documentation suggests that the purpose of the max-ncache-ttl parameter is to let you increase the cap, in order to improve performance and decrease network traffic.
The suggestion that someone made the other day -- that the TTL on zones be ramped up gradually by the registries after creation or transfer -- is, I think, a good one.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
From bv9ARM *max-ncache-ttl* To reduce network traffic and increase performance the server stores negative answers. *max-ncache-ttl* is used to set a maximum retention time for these answers in the server in seconds. The default *max-ncache-ttl* is 10800 seconds (3 hours). *max-ncache-ttl* cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value. *max-cache-ttl* *max-cache-ttl* sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). So loading TTL's to longer than 7 days will have diminishing returns. Is this really such a good thing? Joe