Re: Protecting caches?
On Fri, Aug 29, 2008 at 12:36:21PM -0700, Paul Hoffman wrote:[color=blue]
> part of the Kaminsky attack works. If I have a record in my cache
> with days left on the TTL, why should an attacker be able to change
> that record with bad information when I'm asking about a different
> record? The advantage of this ("we gave too long of a TTL and now[/color]
Most programmers of servers used to act on the assumption that packets (and
by extension, questions) were expensive. An answer carrying 'free' data for
which the resolver considered it authoritative was more than welcome in this
Plus the oft quoted credibility rules of course.
I'm moving to having a switch that lets data with an unexpired TTL not be
overwritten by newer answers.
[url]http://www.PowerDNS.com[/url] Open source, database driven DNS Software
[url]http://netherlabs.nl[/url] Open and Closed source services
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.