[dns-operations] DNS Flush Protocol

Richard Doty rad at twig.com
Sat Mar 28 17:04:08 UTC 2015 

On 3/27/15 9:48 AM, Warren Kumari wrote:
> Joe Abley and myself wrote some Internet Drafts on this.
>
> Requirements for a Mechanism for Remote-Triggered DNS Cache Flushes -
> draft-jabley-dnsop-flush-reqs-00
> and
> A Mechanism for Remote-Triggered DNS Cache Flushes (DNS FLUSH) -
> http://tools.ietf.org/html/draft-jabley-dnsop-dns-flush-00

The above is quite elegant.  And it does not require some new trust 
framework.  I can NOTIFY any resolver I wish, and they can check to see 
if their cache is current by querying the master server (*before* 
flushing, hopefully).

Richard.

>
> Some slides: http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-5.pdf
>
> I eventually got bored and have started writing an out of band thing.
> It is basically a cooperative model .
>
> Basically a django app where a domain operator / owner will create an
> account and register their domains. The system will confirm domain
> ownership (kinda like a CA does (send emails, publish a TXT record,
> etc)).
> When something goes wrong, the domain operator logs in and requests a
> cache flush.
> The system then publishes (using pubsubhubbub) a signed cache flush request.
>
> Resolvers will run a (very) small daemon that listens for pubsub
> messages, validates them and then runs e.g rndc flush $domain.
>
> Domain owners have an incentive to do this to recover from Oopses.
> Resolver operators have less of an incentive, but I think many will
> still be willing to do this -- it protects their users, removes
> operational annoyance, etc. The message format, etc will all be
> published, so resolver operators can either just install the (to be
> provided) daemon, or roll their own.
>
> I cannot remember Geoff's numbers, but we need <100 of hte largest
> resolvers to get >85% of users.
>
> W
>
> On Fri, Mar 27, 2015 at 10:48 AM, Mike Jones <mike at mikejones.in> wrote:
>> Every couple of months someone posts on a selection of industry
>> mailing lists that something has happened and can everyone please
>> flush their DNS caches for mywebsite.com. Often someone follows up the
>> discussion by suggesting some kind of automated system, which results
>> in a mention of opendns/googles flush pages, there is a little more
>> suggestion that a community flush system would be useful, then the
>> thread fizzles out.
>>
>> I hereby propose an automated cache flush mechanism. I have no idea
>> what such a protocol should look like, however support for it probably
>> needs to be built in to standard DNS software. BIND needs a setting
>> that can tell it to register with "cacheflushservice.net" which will
>> result in the "cacheflushservice.net" server sending out a request to
>> flush google.com to all registered servers whenever I ask them to
>> flush google.com for me.
>>
>> Comments? Ideas? Does someone want to make a slightly more formal
>> proposal for what such a protocol should look like?
>>
>> - Mike Jones
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>

More information about the dns-operations mailing list