On Fri, Aug 29, 2008 at 12:36:21PM -0700, Paul Hoffman wrote:
> part of the Kaminsky attack works. If I have a record in my cache
> with days left on the TTL, why should an attacker be able to change
> that record with bad information when I'm asking about a different
> record? The advantage of this ("we gave too long of a TTL and now

Most programmers of servers used to act on the assumption that packets (and
by extension, questions) were expensive. An answer carrying 'free' data for
which the resolver considered it authoritative was more than welcome in this

Plus the oft quoted credibility rules of course.

I'm moving to having a switch that lets data with an unexpired TTL not be
overwritten by newer answers.


http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.