[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Kumar Ashutosh askuma at microsoft.com
Fri Dec 26 17:03:51 UTC 2014

+1 for Paul Vixie.
Not a big fan of sending stale answers. 

-----Original Message-----
From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf Of Paul Vixie
Sent: Friday, December 26, 2014 04:02
To: Colm MacCárthaigh
Cc: dns-operations
Subject: Re: [dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

> * Colm MacCárthaigh:
>> > There's a good question embedded in that discussion:  when a 
>> > resolver fails to get an answer from all of the authoritative 
>> > nameservers for a domain, why not use the last known answer, even if it's stale.

that's what opendns does.

>> >
>> > Yes, that clearly violates the TTL of the rrset, but wouldn't be 
>> > over-all better for the health of the internet?

no. sometimes the old value is dangerous (private; load; loss) to the person who changed it.

Paul Vixie
dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-jobs mailing list

More information about the dns-operations mailing list