[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Dave Warren davew at hireahit.com
Tue Oct 25 07:26:05 UTC 2016

On Mon, Oct 24, 2016, at 15:06, Paul Vixie wrote:
> Jared Mauch wrote:
> > 	I'm wondering if anyone else implements the TTL=0 behavior so we
> > can investigate that to keep end-customer impacting issues to a minimum.
> > 
> > 	I don't want to serve up invalid data, but keeping last known
> > with TTL=0 seems a fair response given enough resources to not have
> > that answer expired or invalidated with alternate data.
> many domain names or rrsets need badly to be taken down, for the good of
> the internet. this "use stale data at ttl=0" is exquisitely wrong headed.

I wonder if these concerns could be negated by only applying the "use
stale data" logic when all authoritative servers timeout (or maybe also
a SERVFAIL?), but a REFUSED, NOERROR, NXDOMAIN would still be handled
with current logic?

I don't think we need to deal with configuration errors, or anything of
that sort, the goal would be only to deal with negating the impact of a
DoS attack. Of course, getting services to use TTLs of reasonable
lengths would also help, but I somehow don't see that happening either.

More information about the dns-operations mailing list