DNS Attacks
Les Mikesell
lesmikesell at gmail.com
Fri Jul 25 20:26:49 UTC 2008
Bruno Wolff III wrote:
>>
>> The only real delay when adding something new is getting the registered
>> servers for a domain into the root servers. These should be the ones
>
> Generally you mean the appropiate TLD servers as most newly registered
> domains don't go into the root servers.
I guess things have changed - .com at least used to be known directly by
the roots. Anyway, a query for an unknown domain has to start at the
root servers and will resolve as soon as they know where to send it.
>> listed in the whois lookup. There is a time-to-live associated with the
>> addresses, so existing names may linger with the wrong addresses, though.
>
> And some ISPs have been known to fudge these to be longer than what they
> are to cut down on queries. This breaks things like djbdns' feature of
> having the ttl count down as a cutover time is approached.
And worse, applications may cache them for as long as they run.
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list