[dns-operations] EC2 resolver changing TTL on DNS answers?

Ángel operations at dns.16bits.net
Fri Dec 1 02:18:59 UTC 2017


On 2017-11-29 at 07:43 -0800, Colm MacCárthaigh wrote:


>         i'd like to think that hierarchical autonomy would mean that
>         i, as a zone publisher, would be in sole control of how long
>         my data is cached. if rdns operators want to negotiate, by
>         protocol, over longer leases, then by all means let's make
>         that possible.
> 
> 
> I think on balance, I would still prefer if every resolver served from
> stale cache when auth DNS becomes unreachable, rather than return
> SERVFAIL, at least for a few hours. You're right that that means a
> domain that's being taken down may persist, but if we can take down
> the DNS servers, is taking down the web servers (or whatever) ...
> really harder or more complex? 

The ability to take down a dns server is orthogonal to the ability of
taking down a web server hosted there.
But yes, although it can be easier, it could be much harder.


Also note, it is much easier to detect a dns-provider takedown than a
hosting takedown. In the later case, they could easily be providing a
fake "website blocked" banner, while still serving their clients
(victims).


I agree however that serving stale data (for a limited time) when the
authoritative server is unreachable would be beneficial.


Best regards






More information about the dns-operations mailing list