Why *can* cached DNS replies be overwritten?

Edward Lewis Ed.Lewis at neustar.biz
Mon Aug 11 12:30:29 CDT 2008

At 11:31 -0500 8/11/08, Jack Bates wrote:
>Leo Bicknell wrote:
>>  Authorities are updated all the time.  There are thousands of these
>>  cache overwrites with new, more up to date info every day.
>The problem is, it's not trustworthy.

In the original definition of DNS, there were no or almost no dynamic 
changes.  The protocol wasn't built for that.  The result is all of 
the old sacred texts are written in a context that everything is 
static (for as least as long as the TTL).

The modern operation of the DNS is more dynamic.  It isn't a case 
that the protocol today cannot be (more) dynamic (than the founding 
engineers thought) but that all of the documented texts upon wish we 
today base arguments are written along the "old think" lines.  So 
when we get into a battle of RFCs vs. best current practices the two 
sides are not speaking the same language.

The DNS can be more dynamic by liberalizing it's ability to learn new 
data.  It's a sliding curve - more liberal means accepting more 
stuff, some of which might be the garbage we don't want.  The choice 
is between tight and unbending versus dynamic and less trustworthy. 
The goal is to strike the right balance.

It is possible for a protocol to do what DNS does and also have 
secure updates.  But the DNS as it is in the RFCs, lacks a real good 
foundation for extension.  We can do something, but we will probably 
never get to the final goal.
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the NANOG mailing list