[registrars] Re: panix.com hijacked

Edward Lewis Ed.Lewis at neustar.biz
Mon Jan 17 19:06:15 UTC 2005

At 13:54 -0500 1/17/05, Joe Abley wrote:

>So the TTLs of records in the registry-operated zones will likely have no
>impact on how long NS records for delegated zones remain in caches.
>If panix (or anybody else) wants to increase the time that their NS records
>stay in caches, the way to do it is to increase the TTLs on the authoritative
>NS records in their own zones. For panix.com, these appear to be set to 72
>hours (the non-authoritative NS records for PANIX.COM in the COM zone have
>48-hour TTLs).

That's provided that the panix.com authoritative NS's are seen in the 
cache.  Not all name servers return the authoritative NS's in an 
answer.  (BIND has an option 'minimal-responses yes_or_no;' that 
control this.  The default is no, but I know of one "yes" user.)

The registrant's copy of the NS set is more credible (RFC 2181 speak) 
than the registry's copy, so if a cache sees both, the cache tosses 
the registry copy.  But there's no guarantee that the cache will see 
both.  Usually it does though.

Edward Lewis                                                +1-571-434-5468

"A noble spirit embiggens the smallest man." - Jebediah Springfield

More information about the NANOG mailing list