[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

David C Lawrence tale at akamai.com
Tue Dec 30 17:17:51 UTC 2014


Colm MacCarthaigh wrote:
> Yes, that clearly violates the TTL of the rrset, but wouldn't be
> over-all better for the health of the internet?

Paul Vixie wrote:
> no. sometimes the old value is dangerous (private; load; loss) to the
> person who changed it.

On the other hand, since implementing it in our own local resolvers I
can tell you that the feature has absolutely averted customer
incidents, and never once caused one by using stale data.

Thus personally I would say that the answer to Colm's question is a
qualified yes.  I don't disagree with you about there being
problematic cases, but if we had let the perfect be the enemy of the
good we wouldn't even have the practical Internet and the World Wide
Web today.  On balance to me the feature is "over-all better" for DNS
resilience.

I've been considering writing up an I-D and/or presenting to SSAC
about our experiences with it and recommendations for how to handle it
operationally.  Should make for a lively discussion.



More information about the dns-operations mailing list