Sign in
Version 5.4.0, 2014-04-22
Report a bug

Improving DNS Service Availability by Using Long TTL Values

Document type: Expired Internet-Draft (individual)
Document stream: No stream defined
Last updated: 2012-08-26 (latest revision 2012-02-23)
Intended RFC status: Unknown
Other versions: (expired, archived): plain text, pdf, html

Stream State:No stream defined
Document shepherd: No shepherd assigned

IESG State: Expired
Responsible AD: (None)
Send notices to: No addresses provided

This Internet-Draft is no longer active. Unofficial copies of old Internet-Drafts can be found here:


Due to the hierarchical tree structure of the Domain Name System [RFC1034][RFC1035], losing all of the authoritative servers that serve a zone can disrupt services to not only that zone but all of its descendants. This problem is particularly severe if all the authoritative servers of the root zone, or of a top level domain's zone, fail. Although proper placement of secondary servers, as discussed in [RFC2182], can be an effective means against isolated failures, it is insufficient to protect the DNS service against a Distributed Denial of Service (DDoS) attack. This document proposes to reduce the impact of DDoS attacks against top level DNS servers by setting long TTL values for NS records and their associated A and AAAA records. Our proposed changes are purely operational and can be deployed incrementally.


Eric Osterweil <>
Vasileios Pappas <>

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid)