Why *can* cached DNS replies be overwritten?
bicknell at ufp.org
Mon Aug 11 10:59:16 CDT 2008
In a message written on Mon, Aug 11, 2008 at 11:39:25AM -0400, Jay R. Ashworth wrote:
> Everyone seems to continue asking "why can poisoning overwrite already
> cached answer" and no one seems to be answering, and, unless I'm a
> moron (which is not impossible), that's the crux of this issue.
Let's say you query FOO.COM, and it says "My servers are A, B, and
C." So you cache A, B, and C and go on your merry way.
Now, before the TTL expires the data center with B and C in it gets
hit by a tornado. The FOO.COM admin quickly stands up two new
servers in a new data center, and updates FOO.COM to be servers A,
D, and E. So you go back and ask for "newname.foo.com" from A, by
random chance. A sends you back "it's 22.214.171.124, and A, D, and E
know all about it.".
What you're advocating is that the server go, humm, that's not what
I got the first time and keep using A, B, and C, for which B and C
may no longer be authortative, or worse in this example, are completly
offline. It would then wait until the TTL expires to get the same
That's not to say there aren't possibly other checks or rechecks
that could be done, but in the vast majority of day to day cases
when someone properly gives you additional information it is useful.
Authorities are updated all the time. There are thousands of these
cache overwrites with new, more up to date info every day.
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
More information about the NANOG