[dns-operations] EC2 resolver changing TTL on DNS answers?
Ángel
operations at dns.16bits.net
Fri Dec 1 02:18:59 UTC 2017
On 2017-11-29 at 07:43 -0800, Colm MacCárthaigh wrote:
> i'd like to think that hierarchical autonomy would mean that
> i, as a zone publisher, would be in sole control of how long
> my data is cached. if rdns operators want to negotiate, by
> protocol, over longer leases, then by all means let's make
> that possible.
>
>
> I think on balance, I would still prefer if every resolver served from
> stale cache when auth DNS becomes unreachable, rather than return
> SERVFAIL, at least for a few hours. You're right that that means a
> domain that's being taken down may persist, but if we can take down
> the DNS servers, is taking down the web servers (or whatever) ...
> really harder or more complex?
The ability to take down a dns server is orthogonal to the ability of
taking down a web server hosted there.
But yes, although it can be easier, it could be much harder.
Also note, it is much easier to detect a dns-provider takedown than a
hosting takedown. In the later case, they could easily be providing a
fake "website blocked" banner, while still serving their clients
(victims).
I agree however that serving stale data (for a limited time) when the
authoritative server is unreachable would be beneficial.
Best regards
More information about the dns-operations
mailing list