Re: Dyn DDoS this AM?

[Suzanne Woolf <suzworldwide () gmail com>]

> On Oct 24, 2016, at 12:06 PM, Eitan Adler <lists () eitanadler com> wrote:
>
> On 24 October 2016 at 01:25, LHC <large.hadron.collider () gmx com> wrote:
> > All this TTL talk makes me think.
> >
> > Why not have two ttls - a 'must-recheck' (does not expire the record but forces a recheck; updates record if server 
> > replies & serial has incremented) and a 'must-delete' (cache will be stale at this point)?
>
> If clients can't get one TTL correct what makes you think they will
> get a more complicated two TTL system correct?

….To say nothing of resolvers that simply ignore server-side TTLs and set their own. 

For instance, https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf 
<https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf> “RSSAC 003: RSSAC Report on Root 
Zone TTLs” will tell you far more than you really want to know about TTLs and caching behavior, and some of it is 
specific to the root zone, but one of the key observations is "Root zone TTLs appear to not matter to most clients.”

Modern large-scale DNS is a fairly complex system. Speculating from here about how it behaved under attack in someone 
else’s network is interesting, and I look forward to more information from Dyn as they feel they can share it— but DDoS 
is a big enough fact of life for them and everyone else that if there was a simple answer, I think someone would be 
making a fortune on it already, or at least have filed the patents.


Suzanne
(speaking for myself)