[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Damian Menscher damian at google.com
Mon Oct 24 22:26:39 UTC 2016

On Mon, Oct 24, 2016 at 3:06 PM, Paul Vixie <paul at redbarn.org> wrote:
> Jared Mauch wrote:
> >       I'm wondering if anyone else implements the TTL=0 behavior so we
> > can investigate that to keep end-customer impacting issues to a minimum.
> >
> >       I don't want to serve up invalid data, but keeping last known
> > with TTL=0 seems a fair response given enough resources to not have
> > that answer expired or invalidated with alternate data.
> many domain names or rrsets need badly to be taken down, for the good of
> the internet. this "use stale data at ttl=0" is exquisitely wrong headed.

It seems like we actually need two different TTLs:
  - how long before we want the client to refresh their cache:
O(seconds/minutes) for agility
  - how long we want the client to remember our latest answer:
O(hours/days) for availability

Is there anything in the protocol today that would support this, or is
there interest in adding it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161024/6371a1f6/attachment.html>

More information about the dns-operations mailing list