Re: [DNSOP] AD review of draft-ietf-dnsop-serve-stale-07

Stephane Bortzmeyer <> Sat, 14 September 2019 12:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CDE812008A; Sat, 14 Sep 2019 05:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pFrEYc7aYfWP; Sat, 14 Sep 2019 05:33:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8D5DC120077; Sat, 14 Sep 2019 05:33:09 -0700 (PDT)
Received: by (Postfix, from userid 10) id B40B3A052F; Sat, 14 Sep 2019 14:33:06 +0200 (CEST)
Received: by (Postfix, from userid 1000) id 949341908BD; Sat, 14 Sep 2019 14:29:18 +0200 (CEST)
Date: Sat, 14 Sep 2019 14:29:18 +0200
From: Stephane Bortzmeyer <>
To: Barry Leiba <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 9.9
X-Charlie: Je suis Charlie
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-serve-stale-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Sep 2019 12:33:13 -0000

On Wed, Sep 11, 2019 at 12:06:23PM -0400,
 Barry Leiba <> wrote 
 a message of 75 lines which said:

> I wonder if it makes sense to be more explicit here that one isn’t
> meant to keep using expired data forever, but is expected to keep
> trying to refresh it.  So, maybe?:
>       If the data is unable to be
>       authoritatively refreshed when the TTL expires, the record MAY be
>       used as though it is unexpired until an authoritative refresh is
>       successful.

I think your proposed text is worse since it contradicts the current
draft, which limits the time during which you can serve stale answers
"The maximum stale timer should be configurable, and defines the
length of time after a record expires that it should be retained in
the cache.  The suggested value is between 1 and 3 days. [Even if you
cannot contact the authoritative servers, my note.]"

> Is another possible new security consideration that bad actors could
> DDoS authoritative servers with the explicit intent of having stale
> cached information used for longer, perhaps to extend the life of a
> cache-poisoning attack or some such?

Yes, seems right. Also reported by Viktor Dukhovni during the last
call. May be add at the end of section 10 "Attackers could be incited
to dDoS authoritative servers with the explicit intent of having stale
cached information used for longer. But if they have this capacity,
they probably could do much worse things than prolongating old data."