Verisign Speeds Up DNS Updates
Changeling writes "According to Matt Larson, a representative of VeriSign Naming and Directory Services, on September 8, 2004 Verisign will be switching from performing 2 updates per day of the .com and .net zones to performing updates every few seconds. According to Matt, 'After the rapid DNS update is implemented, the elapsed time from registrars' add or change operations to the visibility of those adds or changes in all 13 .com/.net authoritative name servers is expected to average less than five minutes." Full story can be found here."
The bad part: if someone gets Verisign to shut off your DNS, your site goes dark before anyone knows what happened. It's a lot harder for anyone to mirror it when the news starts breaking.
Verisign's Spin... .com/.net zone files. Rapid updates to .com/.net are consistent with processes in place at other large domain registries today.
Will rapid DNS updates impact SPAM?
Verisign anticipates negligible increases in SPAM as a result of more frequent updates to the
Translation: When a spamvertized site is unpluged by hosting company X, the spammers can quickly redirect their domain to point at their new server at hosting company Y...
In the cat and mouse game that is spamming, the mice have just gotten an ability to flee faster.
RFC1035 was written before RFCs had the MUST/SHOULD syntax. That said, a 32-bit serial number in the SOA record is pretty much a MUST.
The solution is to have zone transfer clients transfer the zone regardless of whether the serial number has increased or decreased; this is why DJB's axfr (zone transfer) client does.
Overview for people who don't know DNS: The serial number is used in automated transfers of DNS information to determine whether the information has been updated. If the integer has been increased since the last update, the client knows to to transfer all of the information again. The number is a 31-bit unsigned integer, which means the use of a Unix timestamp for this number will expire in 2038.
In theory this seems reasonable as long as the update requirements don't put undue pressure on the TLD system. I can't imagine they would since technology has far surpassed what was available when these standards were introduced.
There are some obvious, immediate benefits with issues like this. Systems can more quickly route around outages and DDOS attacks.
However, I'm highly suspect that Verisign came up with this idea without some self-interest at the heart of it.
Why do I have this feeling that, any non-Verisign registrar won't get their updates reflected in the root servers as quickly as Verisign's own customers?
This is not agreed-on "DNS behaviour", it's a flawed feature of BIND designed to try to prevent cache poisoning. See Dan Berstein's notes on BIND's credibility mechanism . We don't need any encouragement to make DNS less secure!
So for all secure DNS resolvers, TTL will still be 48 hours until Verisign works out a way to let people update it themselves.
Matthew @ Bytemark Hosting