[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Jared Mauch
jared at puck.nether.net
Tue Oct 25 00:15:14 UTC 2016
few things:
> On Oct 24, 2016, at 7:47 PM, Robert Edmonds <edmonds at mycre.ws> wrote:
>
>> the SOA MINIMUM is currently almost this, but only for negative answers.
>> expanding it to be used for positive answers as well could be done
>> without a wire-change.
>
> This would not be particularly useful since it would be common to want
> both a small negative TTL (on the order of seconds/minutes, for agility)
> combined with a long serve-stale time (on the order of hours/days, for
> availability). And it wouldn't be able to express policy for serving
> stale negative answers.
While I’m interested in wire level encoding of DNS, this is perhaps best
moved to dnsop over at IETF at minimum.
I’d be interested in a serve-stale-aa-unreach option which permits me to
serve valid data for up to the SOA expiry value from my caches. This would
seem to solve some problems, while a server could still be retrying on
the backside and obviously update the cache on a new entry.
We see this in the switch world where seen traffic from a mac address would
keep the cam table populated within the layer-2 domain. The same also applies
to layer-3 traffic, it may update the ARP (HW <-> IP) table based on the device
policy.
This seems like an application level assist that would be well received by those
that rely upon services that are under attack. There’s some other tricks as well
which I won’t detail on a public list. (call me, or find me in private in Seoul).
- Jared
More information about the dns-operations
mailing list