7

Is there a standard time duration before DNS caches are cleared, so that if a distracted operator or stuck key turns a TTL of 86400 into 864000000 you don't end up with an authoritative resource record or even entire DNS zone whose changes won't be recognized for 27.397 years?

And, if there is no protection against this sort of error, then what is the reasoning behind allowing TTL duration up to 68 years instead of a maximum value of perhaps one month?

user981178
  • 445
  • 1
  • 3
  • 12
  • Possible duplicate of [What happens when your TTL gets screwed up in your DNS record?](http://serverfault.com/questions/630043/what-happens-when-your-ttl-gets-screwed-up-in-your-dns-record) – Andrew B Apr 24 '16 at 09:33
  • @AndrewB Very related indeed, but not an exact duplicate. The [answer](http://serverfault.com/a/772531/214507) given by [Michael Hampton](http://serverfault.com/users/126632/michael-hampton) answers the question being asked better than any of the answers to your [duplicate suggestion](http://serverfault.com/q/630043/214507) does. – kasperd Apr 24 '16 at 10:32
  • @kasperd Michael's answer mentions the config options for several implementations by name and got my upvote (as did the question which had a score of zero), but otherwise this is a rehash of the same points. I don't really care whose answer you like better. – Andrew B Apr 24 '16 at 16:23

1 Answers1

12

You'll be happy to know that most (if not all) DNS server software has protection against this scenario.

For example:

Microsoft DNS server has a MaxCacheTTL setting, which defaults to 86400. So regardless of any TTL setting in DNS RRs, if this is not adjusted, the DNS server will not cache anything longer than a day.

BIND also has a similar setting max-cache-ttl, which defaults to 604800 (7 days).

PowerDNS alao has the setting max-cache-ttl and defaults to 86400.

Unbound names the setting cache-max-ttl and defaults to 86400.

Since BIND is still the most popular DNS server out there, its 7 day default will affect you. If you find out this has happened, you'll probably have to wait a week before most everyone has flushed their caches.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Excellent. Thanks for the information. So, I guess then it's just a matter of the operators of these resolving DNS servers not having adjusted them unwisely. – user981178 Apr 24 '16 at 05:36
  • Of course, this doesn't protect you if the DNS operators also mess up the max-cache-ttl settings. We hope they don't. – Braiam Apr 24 '16 at 18:02