[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Damian Menscher
damian at google.com
Mon Oct 24 22:26:39 UTC 2016
On Mon, Oct 24, 2016 at 3:06 PM, Paul Vixie <paul at redbarn.org> wrote:
>
> Jared Mauch wrote:
> > I'm wondering if anyone else implements the TTL=0 behavior so we
> > can investigate that to keep end-customer impacting issues to a minimum.
> >
> > I don't want to serve up invalid data, but keeping last known
> > with TTL=0 seems a fair response given enough resources to not have
> > that answer expired or invalidated with alternate data.
>
> many domain names or rrsets need badly to be taken down, for the good of
> the internet. this "use stale data at ttl=0" is exquisitely wrong headed.
>
It seems like we actually need two different TTLs:
- how long before we want the client to refresh their cache:
O(seconds/minutes) for agility
- how long we want the client to remember our latest answer:
O(hours/days) for availability
Is there anything in the protocol today that would support this, or is
there interest in adding it?
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161024/6371a1f6/attachment.html>
More information about the dns-operations
mailing list