[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Mark Andrews marka at isc.org
Tue Oct 25 22:23:01 UTC 2016 

In message <20161025163910.eovgxjcd3c5zqri7 at mycre.ws>, Robert Edmonds writes:
> Paul Vixie wrote:
> > i think the best way to do this is without any signalling change. just
> > use the TTL for expiration, and use some other interval like 10% of the
> > TTL or 3X the SOA MINIMUM for re-fetch. but you'd only do this for
> > things in the cache that actually get used a lot.
> 
> You appear to be describing pre-fetching, which already exists (e.g. it
> is enabled by default in BIND >= 9.10). Are you saying that pre-fetching
> is a good enough substitute for serving hot stale records past their TTL
> expiration?

Not only BIND does prefetching.

We would be relatively easily add a refresh field to every RR that
is only returned when the Extended RR (ER) bit (last DNS header
bit) is set in the request leaving TTL for time to live.  A ER bit
in the response indicates Extended RR's are bing returned.  EDNS
can't work for this signalling as you need to parse the response
to get to the OPT record and there are DNS server that validly
ignore the OPT record in the request.

If you have a record learnt without a refresh field you set the
refesh field to the TTL field.

The refresh field is clamped to a maximum of the TTL field after
being clamped by the RRSIG original TTL if that is set.

This doesn't require changes to DNSSEC other than to skip
the refresh field in records when constucting the hash.

Yes, there will be some firewalls that think they know what DNS
records look like.  They would need to be updated or the checks be
turned off if there is a ER client behind them.

Yes, there are some servers that echo back reserved bits despite
requirements to set all reserved bits to zero being in the specification
from the very beginning.  Responses from such server will not parse
as being valid.  Clients could reparse assuming non-ER or just drop
the response as invalid.

Mark

> -- 
> Robert Edmonds
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operation
-- 
Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list