----- Original Message ----- From: "John Levine" <jo...@taugh.com> To: <dnsop@ietf.org> Sent: Wednesday, April 13, 2011 7:04 PM Subject: [DNSOP] Do negative cache entries have to be consistent ?
> Some friends of mine who run DNSBLs have this idea to manage the > traffic to their servers: some parts of the IP address space are more > likely to get infected than others, so when they send back a NXDOMAIN > response, they want to adjust the TTL so that addreses that are > unlikely to get listed have a longer TTL and addresses that are more > likely to become listed have a shorter TTL. > > Since the TTL on a negative cache entry comes from the TTL on the SOA > returned with the NXDOMAIN, this means that they'll be returning SOAs > with different TTLs on different responses. This strikes me as > something that's not technically illegal, but that people who write > DNS caches didn't anticipate. Is it likely to break anything? It should be fine with modern caches. The way caches are meant to work according to the DNSSEC standard is that the complete response is cached as single atomic entry, complete with any asociated SOA/NSEC records. http://tools.ietf.org/html/rfc4035#section-4.5 The TTL is derived from the SOA minimun and the lowest TTL in the RRsets sent. So this behavior is not at all unanticipated I think. > Bonus question: with DNSSEC, a cache can use NSEC info to synthesize > NXDOMAIN responses for nearby addresses. Will inconsistent TTLs break > anything then? Not at present. However there are suggestions that if a parent NXDOMAIN is found, it could imply that all the responses descended form that could be assumed to be NXDOMAIN. This is not yet part of the standard though, and in fact old authoritative nameservers sometimes return NXDOMAIN even when there are children, so in practice it ths will probably have to be restricted to DNSSEC. > If you think this is a stupid idea, please say why. Traffic to DNSBL > servers is significant, and traces suggest this will noticably > decrease the traffic, so unless it breaks something, it's useful. > They realize that there is some possibility of stale data, but that's > a given whenever a TTL is greater than zero. > > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. http://jl.ly > > PS: If you were planning to say that all DNSBLs stink, don't. We know > they do, but the alternative stinks worse. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
