Giovane Moura

Based in Arnhem, The Netherlands




Likes on articles

About the author

Giovane is a Data Scientist with SIDN Labs (.nl registry) and a Assistant Professor at TU Delft, in the Netherlands. He works on security and Internet measurements research projects. You can reach him at

• Reply to Sebastian Wiesinger on NTP Pool - The Internet Timekeeper by Giovane Moura

“Great article, but you can't teaser a problem like how atomic clocks are synchronized and then link to a Reddit thread that doesn't answer the question!”

fair enough, it was just a teaser anyway. Here's more info on that: (I'll ask to replace the reddit url by this one)

• Reply to Niels Dettenbach on Vulnerability Disclosure: A First-Hand View by Giovane Moura

“"Given that resolvers would not cache such responses, some of them would loop indefinitely " Just wondering why such resolvers are not handled by any rate limiting or similiar to request when requesting same records within their TTL?”

so please refer to section 4.4 in TL;DR: some resolvers would just do it, and other stub resolvers are not bound by TTLs, are they are just minimalist. And GDNS was not caching such looping records. The fix:

• Reply to Stéphane Bortzmeyer on Approaching the IETF - A View from Civil Society by Dan Sexton

“A good thing about the IETF is that it is open and discussions are public so here is the link to the discussion inside the IETF about this article:”

thanks for posting this, Stéphane .

• Reply to Jørgen H on How to Choose DNS TTL Values by Giovane Moura

“You should probably add that several DNS-implementations (embedded devices or not) ignore low TTL-values and cache for anything between several hours or even days :) This may or may not be caused by bugs, but depending on low TTL values on the general internet is not too smart.”

Yep, I mean, TTL values are in fact upper limits; resolvers however would do whatever the want. Now, there are many implementations and corner cases as you point . However, we evaluated the population of resolvers used by atlas probes (15,000 more less) and resolvers querying .nl auth servers -- that is where conclusions are based on. But I agree that some boxes would do just what they want

• On Update on the RIPE Atlas Anchor VM pilot by Robert Kisteleki

This is a great initiative. If it works as expected, it has the potential to cover most cloud providers. Measurements from cloud providers are , in fact, very important for user's experiences. Nowadays, many users wind up using backend systems very often hosted in big cloud providers, without being aware of it and being 1000s of km away from it. For example, you can see at [1] that 1/3 of DNS queries to .nl are actually from the US -- a ratio larger than the queries from the Netherlands. One of the reasons is that many users in the NL are using US-based cloud backends (social networking, as an example). So if works, would be great to a have probe per cloud provider, per datacenter. In this way, we can have a better understand of user' s experience when they (in)directly use these services. [1]

• On DNS TTL Violations in the Wild - Measured with RIPE Atlas by Giovane Moura

> I still disagree with the term: first, a resolver does not always talk with an authoritative name server, it may talk to an upstream > resolver a forwarder), and so receive a smaller TTL. There may be many "middleboxes" -- other boxes in between resolver and the client , as you pointed (just like fig 1 in [0] I am not saying the violations were performed by the local resolver. I am only claiming they were violated/changed. Now, to avoid any "cache hit" in any "middlebox" -- ie., shared cache, other resovlers, etc. -- which woudl return me a smaller TTL value -- I ensured that each probe sent a unique query -- see step 3 on section 2. So even if two probes used the same local resolver at the same time, they would have asked for diff records , in the format of $ > Also, all DNS implementations have an upper bound for TTLs (sometimes configurable, as with BIND and Unbound). Is it a "violation" to cap a one-month TTL (seen in the wild) to one week? "Violation" in this case is changing the value provided by the auth server, in regardless of the intention. I am not implying any judgment on the value change, only a value change. refs: [0]

• On DNS TTL Violations in the Wild - Measured with RIPE Atlas by Giovane Moura

Thanks Stéphane for your feedback. I refer to TTL violations as in [1] , which is when a resolver " overrides the TTL value" . In regardless if is increased or decreases; just different from what the authoritative returns. So in this context , violation is not protocol violation, is the violation or changing the original TTL value provided by the authoritative. thanks, /gio [1]

Showing 7 comment(s)