Dyn DDoS this AM?

Suzanne Woolf suzworldwide at gmail.com
Mon Oct 24 17:10:16 UTC 2016

> On Oct 24, 2016, at 12:06 PM, Eitan Adler <lists at eitanadler.com> wrote:
> On 24 October 2016 at 01:25, LHC <large.hadron.collider at gmx.com> wrote:
>> All this TTL talk makes me think.
>> Why not have two ttls - a 'must-recheck' (does not expire the record but forces a recheck; updates record if server replies & serial has incremented) and a 'must-delete' (cache will be stale at this point)?
> If clients can't get one TTL correct what makes you think they will
> get a more complicated two TTL system correct?

….To say nothing of resolvers that simply ignore server-side TTLs and set their own. 

For instance, https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf <https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf> “RSSAC 003: RSSAC Report on Root Zone TTLs” will tell you far more than you really want to know about TTLs and caching behavior, and some of it is specific to the root zone, but one of the key observations is "Root zone TTLs appear to not matter to most clients.”

Modern large-scale DNS is a fairly complex system. Speculating from here about how it behaved under attack in someone else’s network is interesting, and I look forward to more information from Dyn as they feel they can share it— but DDoS is a big enough fact of life for them and everyone else that if there was a simple answer, I think someone would be making a fortune on it already, or at least have filed the patents.

(speaking for myself)

More information about the NANOG mailing list