IETF Logo Mail Archive

Re: Why *can* cached DNS replies be overwritten?

bert hubert <bert.hubert@netherlabs.nl> Mon, 11 August 2008 20:14 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6585A3A6B08; Mon, 11 Aug 2008 13:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.143
X-Spam-Level: **
X-Spam-Status: No, score=2.143 tagged_above=-999 required=5 tests=[AWL=-1.407, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7tt0zQinc3NE; Mon, 11 Aug 2008 13:14:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D1733A688E; Mon, 11 Aug 2008 13:14:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSdiA-00037v-Lq for namedroppers-data@psg.com; Mon, 11 Aug 2008 20:09:50 +0000
Received: from [85.17.220.215] (helo=outpost.ds9a.nl) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KSdhy-00036Y-EO for namedroppers@psg.com; Mon, 11 Aug 2008 20:09:47 +0000
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 24F5D4B44B; Mon, 11 Aug 2008 22:09:50 +0200 (CEST)
Date: Mon, 11 Aug 2008 22:09:50 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: "Jay R. Ashworth" <jra@baylink.com>
Cc: namedroppers@psg.com
Subject: Re: Why *can* cached DNS replies be overwritten?
Message-ID: <20080811200950.GB17121@outpost.ds9a.nl>
References: <20080811190427.GD9082@cgi.jachomes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20080811190427.GD9082@cgi.jachomes.com>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Mon, Aug 11, 2008 at 03:04:27PM -0400, Jay R. Ashworth wrote:
> Correct me if I'm wrong, Leo, but your assertion turns on the fact that
> the server will accept an overwriting cache entry for something it
> already has cacheed, does it not?
> 
> Do djb and Power in fact do that?

Yes - PowerDNS does that because of reasons which used to be persuasive. It
is in fact probably possible to ignore such updates.

Costs are that (nameserver) changes get picked up later. 

I'll try this in PowerDNS on the several billion test queries and answers we
have to see if this breaks things.

> Everyone seems to continue asking "why can poisoning overwrite already
> cached answer" and no one seems to be answering, and, unless I'm a
> moron (which is not impossible), that's the crux of this issue.

It feels odd to deviate from 25 years of DNS practice. This may be one
reason why people find it hard to try such things.

Thanks for persistenly asking about this.

It may be something that is not theoretically allowed, but that practically
helps us out of the woods.

Will report results of the tests here.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email