[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Paul Vixie paul at redbarn.org
Thu Dec 25 22:32:08 UTC 2014

> * Colm MacCárthaigh:
>> > There's a good question embedded in that discussion:  when a resolver
>> > fails to get an answer from all of the authoritative nameservers for a
>> > domain, why not use the last known answer, even if it's stale.

that's what opendns does.

>> >
>> > Yes, that clearly violates the TTL of the rrset, but wouldn't be
>> > over-all better for the health of the internet?

no. sometimes the old value is dangerous (private; load; loss) to the
person who changed it.

Paul Vixie

More information about the dns-operations mailing list