[192303] in North American Network Operators' Group
Re: Dyn DDoS this AM?
daemon@ATHENA.MIT.EDU (Suzanne Woolf)
Mon Oct 24 21:42:18 2016
X-Original-To: nanog@nanog.org
From: Suzanne Woolf <suzworldwide@gmail.com>
Date: Mon, 24 Oct 2016 13:10:16 -0400
To: nanog@nanog.org
In-Reply-To: <CAF6rxg=4WoAEch+mH11AN9ZBafJKnT6Z8V=J7iqPQGt-pD6hcA@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
> On Oct 24, 2016, at 12:06 PM, Eitan Adler <lists@eitanadler.com> =
wrote:
>=20
> On 24 October 2016 at 01:25, LHC <large.hadron.collider@gmx.com> =
wrote:
>> All this TTL talk makes me think.
>>=20
>> Why not have two ttls - a 'must-recheck' (does not expire the record =
but forces a recheck; updates record if server replies & serial has =
incremented) and a 'must-delete' (cache will be stale at this point)?
>=20
> If clients can't get one TTL correct what makes you think they will
> get a more complicated two TTL system correct?
>=20
=E2=80=A6.To say nothing of resolvers that simply ignore server-side =
TTLs and set their own.=20
For instance, =
https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug=
15-en.pdf =
<https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21au=
g15-en.pdf> =E2=80=9CRSSAC 003: RSSAC Report on Root Zone TTLs=E2=80=9D =
will tell you far more than you really want to know about TTLs and =
caching behavior, and some of it is specific to the root zone, but one =
of the key observations is "Root zone TTLs appear to not matter to most =
clients.=E2=80=9D
Modern large-scale DNS is a fairly complex system. Speculating from here =
about how it behaved under attack in someone else=E2=80=99s network is =
interesting, and I look forward to more information from Dyn as they =
feel they can share it=E2=80=94 but DDoS is a big enough fact of life =
for them and everyone else that if there was a simple answer, I think =
someone would be making a fortune on it already, or at least have filed =
the patents.
Suzanne
(speaking for myself)=
