DNS TTL adherence

Rodney Joffe rjoffe at centergate.com
Wed Mar 15 14:16:35 UTC 2006



On Mar 15, 2006, at 1:56 AM, Simon Waters wrote:
>
> In answer to the original question, I'm not aware of any DNS  
> servers that
> don't expire data at the end of the TTL period correctly. Failing  
> to expire
> such data would be a good way of breaking things, and people would  
> just not
> use such broken software.

Let me help you become aware, then...

>
> I'm not sure why the OP thinks someone would research such a bug in  
> detail, my
> experience is they would just fix it.

Some people don't believe it is a bug, and therefor don't see that  
anything needs "fixing".

Feel free to, for example, send 2 consecutive queries for a record  
that has a short (<10,000 second TTL) to 212.23.11.206. This is one  
of the over 100,000 random open recursive servers that have been  
party to some of the recursive DNS server amplification DDoS attacks  
over the last few weeks... and this behavior exists in a number of them.

If you can't think of a record to query for that has a short enough  
TTL, I've created a wildcard entry of:

      *.example.centergate.com

so that you can test this repeatedly without having to wait for the  
overridden TTL to expire. Just use a different random wildcard record  
each time (remembering to send 2 consecutive identical queries to see  
the misbehavior).

$ dig @212.23.11.206 jhgfd.example.centergate.com a


This behavior is unfortunately not unique.

/rlj



More information about the NANOG mailing list