[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Robert Edmonds edmonds at mycre.ws
Wed Oct 26 13:11:16 UTC 2016

Jared Mauch wrote:
> 	I'd say there's a set of criteria that must be met here:
> 	1) authorities unreachable (outstanding queries being done)
> 	2) cached answer available
> 	3) expiry time met
> 	This doesn't seem too hard to do.  I'll look at doing something
> here.  The nice thing is with DNSSEC validation we can know we are
> serving accurate answers that were valid.

At least one recursive DNS implementation has already started working on


Not sure if it implements your #1 though.

Robert Edmonds

More information about the dns-operations mailing list