joel jaeggli <joe...@bogus.com>于2016年4月1日周五 上午2:35写道:
> > > > > > 2) baidu dns hijack(2010): > > > > > > http://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/ > > > > This paper says it was purely social engineering on the registrar. No > > change in the DNS would help. > > > > > > if cache can temporary prolong the ttl of baidu ns, that will help. > > It actually can't really unless you're proposing that a recursive > resolver refuse to honor the ns/soa after ttl expiration. that makes it > rather hard to change providers, transfer zones or replace nameservers. > which are of course reasons why you would have a lower ttl on such > records anyway. > > if you're suggesting that large content providers zones are sufficiently > ossified that they never change or are re/delegated well, that isn't true. > > yeah, totally aggree with you, we all want the change of ns RR can spread fast with short ttl in normal case. the prolong ttl action is actived on "rescue case" as above: when cache encounter "baidu.com" 's new ns record (hijack), and almost all *.baidu.com 's query is fail through the "new" ns. cache can roll back to "old" ns of baidu.com, and prolong the ttl, to ensure the success dns query. normal ns change is not affected. -- Best Regards Pan Lanlan Tel: +86 186 9834 2356
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
