[dns-operations] The perils of retroactive DNSSEC validation

Edward Lewis Ed.Lewis at neustar.biz
Sat Nov 15 14:03:08 UTC 2008

At 0:29 +0100 11/15/08, Florian Weimer wrote:

>2) is impossible if it's intermittent Bogus data, like in an attack.
>The RRset will expire quickly from the BAD cache, but the upstream
>query will just retrieve that data again because the upstream cache
>has cached it in Indeterminate state, subject to the normal TTL rules.

So, it's like this - you ask for data, a cache gets it but can't 
complete the validation because it gets a SERVFAIL trying to get a 
needed key to complete the chain.  Failing to complete the validation 
means the data is labeled Bogus and be held as such until the TTL 
expires.  I mean, that's what I read as your concern.

For the same reason as we lack a way to flush the NCACHE, we'll 
probably continue to lack a way to flush the BAD cache.  (Certainly 
we don't want to give an arbitrary querier the ability to cause 
caches to dump all the time, regardless of which cache.)

One of the parts of your question that makes it hard for to 
understand is that your refer to "being in an attack."  I understand 
you can see unusual traffic patterns, but I don't know that the 
protocol can be used to determine if it is in an attack state.  An 
admin can suspect an attack and tell from lots of other data, but the 
DNS mechanics don't have the mechanisms for it.  (It would take a lot 
of state holding to tell if something is repeated in a malicious way, 
etc.  And you'd have to define the diffence between a broken 
application and a determined effort to be a nuisance.)
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list