[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency
nicolas at ncartron.org
nicolas at ncartron.org
Tue Dec 30 18:42:29 UTC 2014
Hi David,
On Tue Dec 30 18:17:51 2014 GMT+0100, David C Lawrence wrote:
> Colm MacCarthaigh wrote:
> > Yes, that clearly violates the TTL of the rrset, but wouldn't be
> > over-all better for the health of the internet?
>
> Paul Vixie wrote:
> > no. sometimes the old value is dangerous (private; load; loss) to the
> > person who changed it.
>
> On the other hand, since implementing it in our own local resolvers I
> can tell you that the feature has absolutely averted customer
> incidents, and never once caused one by using stale data.
>
> Thus personally I would say that the answer to Colm's question is a
> qualified yes. I don't disagree with you about there being
> problematic cases, but if we had let the perfect be the enemy of the
> good we wouldn't even have the practical Internet and the World Wide
> Web today. On balance to me the feature is "over-all better" for DNS
> resilience.
I strongly agree with you.
Though it's not perfect (as pointed out by Paul), I believe it has more benefits than side/bad effects.
It could be a tool offered to DNS operators, and leave them the choice to use it or not.
--
Nicolas Cartron
More information about the dns-operations
mailing list