[dns-operations] DNS Flush Protocol

Paul Hoffman paul.hoffman at vpnc.org
Thu Apr 2 15:13:59 UTC 2015

On Mar 27, 2015, at 8:48 AM, Mike Jones <mike at mikejones.in> wrote:
> Comments? Ideas? Does someone want to make a slightly more formal
> proposal for what such a protocol should look like?

In the responses so far, I have not seen people give one of the earlier-stated reasons why such a protocol might be bad: it can allow an attacker to more easily temporarily take over your zone. Assume that you're an attacker who has gotten the temporary ability to be on-path for one or more of a zone's servers. Being able to send out "please refresh my zone" alerts makes your attack much more effective. Further, when discovered, and the real zone owner sends out another blast of "please refresh my zone", recipients might think "I already did that" and ignore it.

Thus, the protocol proposed probably has to involve a requirement for DNSSEC validation of announcements, which will limit its utility.

--Paul Hoffman

More information about the dns-operations mailing list