[dns-operations] resolvers considered harmful

Florian Weimer fw at deneb.enyo.de
Wed Oct 22 18:48:07 UTC 2014

* David Conrad:

> On Oct 22, 2014, at 10:27 AM, Florian Weimer <fw at deneb.enyo.de> wrote:
>> I've suggested multiple times that one
>> possible way to make DNS cache poisoning less attractive is to cache
>> only records which are stable over multiple upstream responses, and
>> limit the time-to-live not just in seconds, but also in client
>> responses.  
> Why not just turn on DNSSEC?

Important zones are still unsigned, so I can understand why there is a
desire for altenative solutions.

More information about the dns-operations mailing list