[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

David C Lawrence tale at akamai.com
Tue Dec 30 19:54:59 UTC 2014


Paul Vixie writes:
> i think you mean "we have heard no reports of incidents caused by stale
> data"?

I meant it as I said it, but appreciate the distinction you are trying
to make.

Many organizations have a formal distinction of what an incident is.
If it wasn't reported (for expansive values of "reported"), it wasn't
an incident.

> if the real problem is "ttl's are too short"

It isn't.  This doesn't address legitimate needs organizations have
for short TTLs -- which are not only, of course, CDNs like my
employer.  It also doesn't at all address the issue that even with a
very long TTL, data do eventually expire without the resolver being
able to refresh.

> or "rdns servers should save and restore their cache across
> restarts"

This also is not the issue, though it is one that I've worked on
separately.  The heart of the problem is authorities becoming
unavailable, usually through administrative error in our experience,
and not inherently a problem in the caches.

> violating other people's reasonable assumptions meanwhile shouldn't
> be an option.

For what it's worth, the "TTLs are inviolable" ship sailed long ago.
Both ends of the TTL are already monkeyed with by local policy across
the Internet.  BIND has had max-cache-ttl for a very long time.  Web
browsers similarly for a very long time have kept local caches with
minimum TTLs that the vast majority of people are not even aware.

> see also: [2]<http://queue.acm.org/detail.cfm?id=1242499>.

Great article.  Thanks for writing it.



More information about the dns-operations mailing list