In this episode, Matt and Cricket answer Alan Frabutt’s question about the existence of recursive name servers that don’t honor TTLs – the “yeti” of recursive name servers – and Joe Conlin’s question about the right way to deal with abuse of your name server, and try to assist Louis Sterchi in his quest to learn more about DNS, registries and registrars. And this last leads them on a trip down the Internet’s memory lane, reminiscing about the old days of DNS, before registries and registrars, back when subdomains of com, net and org were free.
Podcast: Play in new window | Download
On the issue of DNS servers which have a setting to force a longer TTL, Unbound has this option:
cache-min-ttl:
Time to live minimum for RRsets and messages in the cache. Default is 0. If the the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more.
https://unbound.net/documentation/unbound.conf.html
Maybe it is meant to help prevent DNS Rebinding Attacks or set a minimum of a couple of seconds, maybe minutes on really busy recursors.
The rebinding prevention seems less likely as there is already an other settings to deal with such attacks.
Posted by Leen Besselink on March 5th, 2012.