[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)
Robert Edmonds
edmonds at mycre.ws
Wed Oct 26 13:11:16 UTC 2016
Jared Mauch wrote:
> I'd say there's a set of criteria that must be met here:
>
> 1) authorities unreachable (outstanding queries being done)
> 2) cached answer available
> 3) expiry time met
>
> This doesn't seem too hard to do. I'll look at doing something
> here. The nice thing is with DNSSEC validation we can know we are
> serving accurate answers that were valid.
At least one recursive DNS implementation has already started working on
it:
https://github.com/jedisct1/unbound/commit/e03d89343e4031be15b2ee78bd432f83cdc79889
Not sure if it implements your #1 though.
--
Robert Edmonds
More information about the dns-operations
mailing list