[dns-operations] DNS Flush Protocol

Warren Kumari warren at kumari.net
Fri Mar 27 16:48:53 UTC 2015

Joe Abley and myself wrote some Internet Drafts on this.

Requirements for a Mechanism for Remote-Triggered DNS Cache Flushes -
A Mechanism for Remote-Triggered DNS Cache Flushes (DNS FLUSH) -

Some slides: http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-5.pdf

I eventually got bored and have started writing an out of band thing.
It is basically a cooperative model .

Basically a django app where a domain operator / owner will create an
account and register their domains. The system will confirm domain
ownership (kinda like a CA does (send emails, publish a TXT record,
When something goes wrong, the domain operator logs in and requests a
cache flush.
The system then publishes (using pubsubhubbub) a signed cache flush request.

Resolvers will run a (very) small daemon that listens for pubsub
messages, validates them and then runs e.g rndc flush $domain.

Domain owners have an incentive to do this to recover from Oopses.
Resolver operators have less of an incentive, but I think many will
still be willing to do this -- it protects their users, removes
operational annoyance, etc. The message format, etc will all be
published, so resolver operators can either just install the (to be
provided) daemon, or roll their own.

I cannot remember Geoff's numbers, but we need <100 of hte largest
resolvers to get >85% of users.


On Fri, Mar 27, 2015 at 10:48 AM, Mike Jones <mike at mikejones.in> wrote:
> Every couple of months someone posts on a selection of industry
> mailing lists that something has happened and can everyone please
> flush their DNS caches for mywebsite.com. Often someone follows up the
> discussion by suggesting some kind of automated system, which results
> in a mention of opendns/googles flush pages, there is a little more
> suggestion that a community flush system would be useful, then the
> thread fizzles out.
> I hereby propose an automated cache flush mechanism. I have no idea
> what such a protocol should look like, however support for it probably
> needs to be built in to standard DNS software. BIND needs a setting
> that can tell it to register with "cacheflushservice.net" which will
> result in the "cacheflushservice.net" server sending out a request to
> flush google.com to all registered servers whenever I ask them to
> flush google.com for me.
> Comments? Ideas? Does someone want to make a slightly more formal
> proposal for what such a protocol should look like?
> - Mike Jones
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list