[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Jared Mauch jared at puck.nether.net
Wed Oct 26 11:56:59 UTC 2016


On Tue, Oct 25, 2016 at 12:39:10PM -0400, Robert Edmonds wrote:
> Paul Vixie wrote:
> > i think the best way to do this is without any signalling change. just
> > use the TTL for expiration, and use some other interval like 10% of the
> > TTL or 3X the SOA MINIMUM for re-fetch. but you'd only do this for
> > things in the cache that actually get used a lot.
> 
> You appear to be describing pre-fetching, which already exists (e.g. it
> is enabled by default in BIND >= 9.10). Are you saying that pre-fetching
> is a good enough substitute for serving hot stale records past their TTL
> expiration?

	I'd say there's a set of criteria that must be met here:

	1) authorities unreachable (outstanding queries being done)
	2) cached answer available
	3) expiry time met

	This doesn't seem too hard to do.  I'll look at doing something
here.  The nice thing is with DNSSEC validation we can know we are
serving accurate answers that were valid.

	Doing this for only signed answers could be a nice incentive,
but the reality is being more robust would be ideal.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the dns-operations mailing list