fwd: Re: [registrars] Re: panix.com hijacked

Steven M. Bellovin smb at cs.columbia.edu
Mon Jan 17 18:08:50 UTC 2005

In message <Pine.LNX.4.44.0501161225210.11207-100000 at sokol.elan.net>, "william(
at)elan.net" writes:
>On Sun, 16 Jan 2005, Joe Maimon wrote:
>> Thus justifying those who load their NS and corresponding NS's A records 
>> with nice long TTL
>Although this wasn't a problem in this case (hijacker did not appear to 
>have been interested in controlling dns since it points to default domain
>registration and under construction page), but long TTL trick could be 
>used by hijackers - i.e. he gets some very popular domain, changes dns to 
>the one he controls and purposely sets long TTL. Now even if registrars 
>are able to act quickly and change registration back, those who cached new
>dns data would keep it for quite long in their cache.

Many versions of bind have a parameter that caps TTLs to some rational 
maximum value -- by default in bind9, 3 hours.  Unfortunately, the 
documentation suggests that the purpose of the max-ncache-ttl parameter 
is to let you increase the cap, in order to improve performance and 
decrease network traffic.  

The suggestion that someone made the other day -- that the TTL on zones 
be ramped up gradually by the registries after creation or transfer -- 
is, I think, a good one.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

More information about the NANOG mailing list