httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <>
Subject Re: security holes and other fun stuff
Date Mon, 15 Jul 1996 15:31:45 GMT
Dean Gaudet writes:

 > You can't change DNS in less than 2 weeks.  It doesn't matter what any of
 > your timeouts are set to -- you'll still see traffic on the old addresses
 > after two weeks.  I've done this dozens of times and seen it in action.  I
 > don't think that it's all broken DNS clients either -- netscape never looks
 > up anything twice, and many people leave their netscape (and everything
 > else) running when they "leave" work.  My netscape has been going for 3
 > days now, so I won't see any DNS changes until I restart it (i.e.  'cause
 > it crashed ;).  So... no matter what you do, you have to use two config
 > file entries for a while or you lose traffic.

The time it takes to change a DNS entry is dependent *entirely* on the timeout
value. Anything doing DNS lookups that caches an entry for longer than that
time is *FUNDAMENTALLY* broken.

That's the whole point of the thing, say you're timeout is a week, when
you want to make a change you drop the timeout to say a day, wait a week,
make the change, wait a day, then bump the timeout back up to a week again.

After the first week everyone should be checking the primary every day at
which point it'll take no more than a day for the change to propagate.

Netscape may well be totally broken because I don't suppose they expected
people to leave it running permanently. Even so, it's totally
broken anyway if it doesn't honour the timeout and I've always felt it's
totally broken for trying to implement DNS internally in the first place.

View raw message