Dynamic DNS

Kevin Darcy kcd at daimlerchrysler.com
Tue Feb 6 23:17:45 UTC 2001 

A 60-second TTL on the A record of one of your NS'es would be very inefficient. Other nameservers would be constantly having to re-fetch that A record. It would be next to useless. And 60 seconds might not
be long enough to prevent the hijacking either, depending on how quickly the DHCP server might give your old address to someone else after you've released it.

As I said earlier, it's not really practical to run a registered NS on a dynamically-assigned address. If you don't have any statically-assigned machines available to you for slave service, I'd probably
pay someone to provide the slave service for you. Or pay the extra money to get a statically-assigned address for your machine. Either option would be better than trying to kludge something on a
dynamically-assigned address.

                                                                                                                                                - Kevin

Pierre LEONARD wrote:

> Hi Kevin,
>
> And thank for tese informations.
>
> > The difference is one of scale. If someone hijacks the address of your HTTP or
>  SMTP server, i.e. a "leaf" node, they get the opportunity to intercept your
>  web
> and/or mail traffic for a variable amount of time, which you can control
>  somewhat by tuning your TTL values. If they hijack the address of your NS,
>  however --
> a "branch" node -- then they can run a nameserver which advertises any NS list
>  they want for your domain (including perhaps addresses of otherr servers
>  under
> their control!) with a large TTL, and everyone will keep going back to those
>  nameservers for information about your domain, instead of your nameservers.
>  So
> instead of a hijack of mere minutes or hours, for only *some* of the names in
>  your domain, potentially they could hijack your *entire* domain for days or
>  even
> weeks. Which is a much bigger exposure.
>
> OK I understand what do you means, But does that means, that if I put a TTL of 60s for the A entry of my secondary DNS, the other DNS that will cache that reference don't  work with that shorter  TTL  ?
>
> Making the older address valide for name service even after the change.
>
> Sincerely
>
> Pierre Léonard

More information about the bind-users mailing list