[77284] in North American Network Operators' Group
Re: fwd: Re: [registrars] Re: panix.com hijacked
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Jan 17 13:09:22 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "william(at)elan.net" <william@elan.net>
Cc: Joe Maimon <jmaimon@ttec.com>,
Andrew Brown <twofsonet@graffiti.com>,
William Allen Simpson <wsimpson@greendragon.com>, nanog@merit.edu,
"Ross Wm. Rader" <ross@tucows.com>
In-Reply-To: Your message of "Sun, 16 Jan 2005 21:35:26 PST."
<Pine.LNX.4.44.0501161225210.11207-100000@sokol.elan.net>
Date: Mon, 17 Jan 2005 13:08:50 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.LNX.4.44.0501161225210.11207-100000@sokol.elan.net>, "william(
at)elan.net" writes:
>
>
>On Sun, 16 Jan 2005, Joe Maimon wrote:
>
>> Thus justifying those who load their NS and corresponding NS's A records
>> with nice long TTL
>
>Although this wasn't a problem in this case (hijacker did not appear to
>have been interested in controlling dns since it points to default domain
>registration and under construction page), but long TTL trick could be
>used by hijackers - i.e. he gets some very popular domain, changes dns to
>the one he controls and purposely sets long TTL. Now even if registrars
>are able to act quickly and change registration back, those who cached new
>dns data would keep it for quite long in their cache.
>
Many versions of bind have a parameter that caps TTLs to some rational
maximum value -- by default in bind9, 3 hours. Unfortunately, the
documentation suggests that the purpose of the max-ncache-ttl parameter
is to let you increase the cap, in order to improve performance and
decrease network traffic.
The suggestion that someone made the other day -- that the TTL on zones
be ramped up gradually by the registries after creation or transfer --
is, I think, a good one.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
