[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

nicolas at ncartron.org nicolas at ncartron.org
Tue Dec 30 18:42:29 UTC 2014

Hi David,

On Tue Dec 30 18:17:51 2014 GMT+0100, David C Lawrence wrote:
> Colm MacCarthaigh wrote:
> > Yes, that clearly violates the TTL of the rrset, but wouldn't be
> > over-all better for the health of the internet?
> Paul Vixie wrote:
> > no. sometimes the old value is dangerous (private; load; loss) to the
> > person who changed it.
> On the other hand, since implementing it in our own local resolvers I
> can tell you that the feature has absolutely averted customer
> incidents, and never once caused one by using stale data.
> Thus personally I would say that the answer to Colm's question is a
> qualified yes.  I don't disagree with you about there being
> problematic cases, but if we had let the perfect be the enemy of the
> good we wouldn't even have the practical Internet and the World Wide
> Web today.  On balance to me the feature is "over-all better" for DNS
> resilience.

I strongly agree with you.
Though it's not perfect (as pointed out by Paul), I believe it has more benefits than side/bad effects.

It could be a tool offered to DNS operators, and leave them the choice to use it or not. 

Nicolas Cartron

More information about the dns-operations mailing list