[dns-operations] DNS Attack over UDP fragmentation

Florian Weimer fw at deneb.enyo.de
Sat Sep 7 18:09:40 UTC 2013


* Daniel Kalchev:

> Might be the appropriate time to think how to depend less on caching
> is now?  Or cache only after validation?

It's certainly possible to reduce caching for unstable data.  Say you
use a certain piece of cached information four times initially, then
you revalidate.  If the data stays the same, you then use it the
cached copy eight times, then sixteen and so on.  On a change, you
fall back to caching it for four uses.

Tricky parts is how you revalidate—based on the current cache
contents, or the cache contents when the record was first cached?
Which one is more secure?

Despite this elaborate description, this approach is in its effect
quite close to sending every query twice and caching the response only
if both responses are equivalent.  Otherwise, you'd use the response
just once.



More information about the dns-operations mailing list