RE: Why *can* cached DNS replies be overwritten?
"Antoin Verschuren" <Antoin.Verschuren@sidn.nl> Tue, 12 August 2008 08:39 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F31D3A6994; Tue, 12 Aug 2008 01:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.55
X-Spam-Level: ***
X-Spam-Status: No, score=3.55 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrARqoNt-pMh; Tue, 12 Aug 2008 01:39:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DFDE53A63C9; Tue, 12 Aug 2008 01:39:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSpHq-000JhX-BW for namedroppers-data@psg.com; Tue, 12 Aug 2008 08:31:26 +0000
Received: from [193.176.144.134] (helo=gw.sidn.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Antoin.Verschuren@sidn.nl>) id 1KSpHm-000JgY-2x for namedroppers@psg.com; Tue, 12 Aug 2008 08:31:24 +0000
Received: by localhost.sidn.nl (TUNIX/Firewall Mail Server) with ESMTP id A25463A9AD for <namedroppers@psg.com>; Tue, 12 Aug 2008 10:31:19 +0200 (CEST)
Received: by gw.sidn.nl (TUNIX/Firewall Mail Server) with ESMTP for <namedroppers@psg.com>; Tue, 12 Aug 2008 10:31:19 +0200 (CEST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Why *can* cached DNS replies be overwritten?
Date: Tue, 12 Aug 2008 10:31:21 +0200
Message-ID: <B33086268D53A0429A3AA2774C83892C02E6D330@KAEVS1.SIDN.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Why *can* cached DNS replies be overwritten?
Thread-Index: Acj75+GsMv0svaFfTUKaqmpZUgMU8AAZyyXA
References: <20080811190427.GD9082@cgi.jachomes.com>
From: Antoin Verschuren <Antoin.Verschuren@sidn.nl>
To: namedroppers@psg.com
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> -----Original Message----- > From: owner-namedroppers@ops.ietf.org [mailto:owner- > Subject: Why *can* cached DNS replies be overwritten? > > Do djb and Power in fact do that? I did some investigation after my post of http://lists.oarci.net/pipermail/dns-operations/2008-February/002526.html I did not test this myself, but what people have told me is: Dnscache, powerdns: Updates the cache by resetting the TTL if a new authoritative answer for the same entry is received. Bind: Updates the cache, but only replaces the TTL with the min value Unbound: Never updates, always waits for an entry to expire before accepting a new entry > Everyone seems to continue asking "why can poisoning overwrite already > cached answer" and no one seems to be answering, and, unless I'm a > moron (which is not impossible), that's the crux of this issue. I actually like the simple behavior that an authoritative answer can override an already cached answer. It's efficient, and follows the simple rule that an authorative answer can be cached. It only goes wrong if people don't maintain their DNS entries operationally, and forget to delete entries they are no longer authoritative for. So the bad guys get hit. The benefit for the good guys is that less lookups are needed, and more importantly, parents are hit less. In the DNS hierarchy, you don't want every query to hit the root. My concern is that if records always expire, like Unbound does, parent nameservers are hit more. Now we can start an argument on the fact that traffic has become inexpensive, and root and TLD nameservers should be able to cope with this minimal increase in queries, but I think we should define a protocol to be as efficient as it can be. I actually don't know how parent traffic will be affected, I'm interested to see measurements on that. But I stay with the thought that even though we only win some bits in traffic, we should always aim to design a protocol to do so. I also think we must not create protocol complexity to protect ignorant users from making mistakes when that does not benefit educated users. And then there's the argument that when cached entries cannot be replaced, an attacker can make use of that. "fixing" a bad cache entry remotely by sending the correct authoritative answer might reduce the time window a poisoned cache is operational. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E antoin.verschuren@sidn.nl W http://www.sidn.nl/ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Why *can* cached DNS replies be overwritten? Olafur Gudmundsson
- Why *can* cached DNS replies be overwritten? Jay R. Ashworth
- Re: Why *can* cached DNS replies be overwritten? bert hubert
- RE: Why *can* cached DNS replies be overwritten? Antoin Verschuren
- Dealing with the NS RRSet [Re: Why *can* cached D… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Florian Weimer
- Re: Why *can* cached DNS replies be overwritten? Paul Vixie
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch