what the heck do i do now?

Joseph S D Yao jsdy at center.osis.gov
Thu Feb 1 01:20:43 UTC 2007


Thinking this out, out loud.  Well, in black and white, anyway.

Your vix.com name servers are authoritative for the zone.

If a name server wants to do a lookup on maps.vix.com, it will get it
from cache, or send a query to the listed IP address for one of the name
servers.

You said you had tried, e.g., putting up a maps.vix.com zone with a huge
negative TTL - or did you say negative TTL? - but that would only work
for multiple queries for the same value from the same name server.  I
don't see a clean way to "poison" even a large number of caches to
forget about you completely.

Does a large negative TTL on vix.com really not reduce the traffic much?
But then that hurts you when you add a new record, if someone has been
trying to get to that record.  And there are name servers out there that
ignore negative TTL.

The only way for it not to arrive at the name server is for something in
the way to block it.  Perhaps a transparent filter, or perhaps the IP
addresses of the "name servers" are your firewalls, which will block and
pass the rest on to the real name servers behind them.

Or maybe that's more work than it's worth.  ;-)  Is anything suffering
besides your logs?

-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.



More information about the NANOG mailing list