What happens when someone gets access to your DNS control and sets a TTL of 100 years on your domain, while pointing it's IP to some obscure website?
(and you discover it too late of course)
What happens when someone gets access to your DNS control and sets a TTL of 100 years on your domain, while pointing it's IP to some obscure website?
(and you discover it too late of course)
Ryan has provided an excellent answer to one interpretation of your question. Given our target audience however, and the situation of the people most likely to stumble upon the question, I'm going to answer a different one.
You have a few options here. First and foremost though, you need to identify the problem vector and eliminate it. Trying to contain the damage is pointless when you have no control over the problem repeating itself.
Well, first of all the Bind configuration manual I'm looking at states that TTL is a signed 32-bit integer, expressed in seconds, giving it a theoretical maximum of 2^31. It says
Valid TTLs are of the range 0-2147483647 seconds.
Or approximately 68 years. So you probably cannot set it to 100 years in the first place.
So, let's say you set it to 68 years. It's pretty clear what would happen. DNS resolvers that respected the extremely long TTL on your DNS records would cache them for as long as they could. Some DNS resolvers don't respect TTLs at all and just implement their own caching policy however they wish.
The reason we can't put a single hard number on the maximums is because there are many different implementations of DNS created by many different vendors, and they all use slightly different variables. For instance, A DNS server running on Juniper JunOS will only go up to 604800 seconds, or 7 days, on the TTL.