[dns-operations] Google DNS used as amplification - aren't they caching?

Paul Wouters paul at nohats.ca
Thu Aug 7 14:17:41 UTC 2014


On Thu, 7 Aug 2014, Tony Finch wrote:

> Paul Wouters <paul at nohats.ca> wrote:
>>
>> Oh, the irony :)
>>
>> http://lists.opendnssec.org/pipermail/opendnssec-user/2012-September/002195.html
>
> What harm is done by cacheing NSEC3PARAM records?

No harm. At the time I was just trying to have two different
implementations sign the same zone, remove ephemeral data, and then
compare the two zones to see if they were identical. That way, if one
signing implementation broke, it would show as different and block the
zone from propagating. Bind set it to 0, opendnssec set it to the
default TTL:

 	<NSEC3>
 		<TTL>PT86400S</TTL>
 		[...]
 	</NSEC3>

Since opendnssec can now set the TTL via an option in kasp.xml, I am now
using a non-zero value myself, but large TLDs signing with bind will
still see their ANY queries uncached by common (non-bind) resolvers,
which as we have seen is bad and causes a LOT of extra packets.

Paul



More information about the dns-operations mailing list