[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Paul Vixie paul at redbarn.org
Tue Oct 25 21:53:06 UTC 2016



Robert Edmonds wrote:
> Paul Vixie wrote:
>> i think the best way to do this is without any signalling change. just
>> use the TTL for expiration, and use some other interval like 10% of the
>> TTL or 3X the SOA MINIMUM for re-fetch. but you'd only do this for
>> things in the cache that actually get used a lot.
> 
> You appear to be describing pre-fetching, which already exists (e.g. it
> is enabled by default in BIND >= 9.10). Are you saying that pre-fetching
> is a good enough substitute for serving hot stale records past their TTL
> expiration?

i'm not sure. because under sustained attack, the refresh could fail for
longer than 1*TTL or even 3*TTL. but i think it's on the right track.
note that the chance of redelegation is high, and that the whole NS
chain will have to be investigated early, not just the RRset itself.

-- 
P Vixie




More information about the dns-operations mailing list