[dns-operations] TTL=0; Last known good answer (Re: dns retries amplify attack)

Jared Mauch jared at puck.nether.net
Wed Oct 26 15:42:49 UTC 2016

> On Oct 26, 2016, at 9:11 AM, Robert Edmonds <edmonds at mycre.ws> wrote:
> Jared Mauch wrote:
>> 	I'd say there's a set of criteria that must be met here:
>> 	1) authorities unreachable (outstanding queries being done)
>> 	2) cached answer available
>> 	3) expiry time met
>> 	This doesn't seem too hard to do.  I'll look at doing something
>> here.  The nice thing is with DNSSEC validation we can know we are
>> serving accurate answers that were valid.
> At least one recursive DNS implementation has already started working on
> it:
> https://github.com/jedisct1/unbound/commit/e03d89343e4031be15b2ee78bd432f83cdc79889
> Not sure if it implements your #1 though.

I’m now looking closer at this after my WISP had an outage yesterday which
of course caused DNS failures for their customer cone.

Looking at the BIND 9.11 code this also seems possible to do, but a fair amount of
logic needs to be added to allow the non-expiry of adb entries around how

Going to take a closer look at unbound, thanks for the pointer.

- Jared

More information about the dns-operations mailing list