[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Edward Lewis edward.lewis at icann.org
Mon Oct 24 16:46:32 UTC 2016

On 10/24/16, 11:57, "dns-operations on behalf of Jared Mauch" <dns-operations-bounces at dns-oarc.net on behalf of jared at puck.nether.net> wrote:

>It seems that having something here would be of value to those that operate servers facing customers to minimize the impact vs complete amplification as everyones caches remain expired at once and participate in an attack.

To me it's not clear there is a right answer.  For the sake of network operations, doing what it takes to minimize impact is a good thing.  But there have been cases were an administrative directive has been in place to, essentially, turn off servers for zones.  (E.g., MM in 2007, NP in 2005.)  In that event, I would think it would be inappropriate in some sense for a recursive server to act authoritatively.

I'm not saying "don't" but this may be why there may never be a formal, documented, BCP on using stale answers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2013 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161024/5a078d11/attachment.bin>

More information about the dns-operations mailing list