[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Florian Weimer fw at deneb.enyo.de
Thu Dec 25 22:07:17 UTC 2014


* Colm MacCárthaigh:

> There's a good question embedded in that discussion:  when a resolver
> fails to get an answer from all of the authoritative nameservers for a
> domain, why not use the last known answer, even if it's stale.
>
> Yes, that clearly violates the TTL of the rrset, but wouldn't be
> over-all better for the health of the internet?

It's very difficult to implement properly, so that it does not
increase the impact of hijacks.  Even the best possible implementation
may encourage additional denial of service attacks, to prevent
resolvers from learning that the hijack event is over.

I also suspect that these hosters have a fairly long tail in the set
of requests they service, so this approach might still fail a large
percentage of requests in the end, not improving matters all that
much.




More information about the dns-operations mailing list