North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Why *can* cached DNS replies be overwritten?

  • From: Edward Lewis
  • Date: Mon Aug 11 13:31:03 2008

At 11:31 -0500 8/11/08, Jack Bates wrote:

Leo Bicknell wrote:


 Authorities are updated all the time.  There are thousands of these
 cache overwrites with new, more up to date info every day.

The problem is, it's not trustworthy.

In the original definition of DNS, there were no or almost no dynamic changes. The protocol wasn't built for that. The result is all of the old sacred texts are written in a context that everything is static (for as least as long as the TTL).


The modern operation of the DNS is more dynamic. It isn't a case that the protocol today cannot be (more) dynamic (than the founding engineers thought) but that all of the documented texts upon wish we today base arguments are written along the "old think" lines. So when we get into a battle of RFCs vs. best current practices the two sides are not speaking the same language.

The DNS can be more dynamic by liberalizing it's ability to learn new data. It's a sliding curve - more liberal means accepting more stuff, some of which might be the garbage we don't want. The choice is between tight and unbending versus dynamic and less trustworthy. The goal is to strike the right balance.

It is possible for a protocol to do what DNS does and also have secure updates. But the DNS as it is in the RFCs, lacks a real good foundation for extension. We can do something, but we will probably never get to the final goal.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar


Never confuse activity with progress. Activity pays more.