Why *can* cached DNS replies be overwritten?
Ed.Lewis at neustar.biz
Mon Aug 11 12:30:29 CDT 2008
At 11:31 -0500 8/11/08, Jack Bates wrote:
>Leo Bicknell wrote:
>> Authorities are updated all the time. There are thousands of these
>> cache overwrites with new, more up to date info every day.
>The problem is, it's not trustworthy.
In the original definition of DNS, there were no or almost no dynamic
changes. The protocol wasn't built for that. The result is all of
the old sacred texts are written in a context that everything is
static (for as least as long as the TTL).
The modern operation of the DNS is more dynamic. It isn't a case
that the protocol today cannot be (more) dynamic (than the founding
engineers thought) but that all of the documented texts upon wish we
today base arguments are written along the "old think" lines. So
when we get into a battle of RFCs vs. best current practices the two
sides are not speaking the same language.
The DNS can be more dynamic by liberalizing it's ability to learn new
data. It's a sliding curve - more liberal means accepting more
stuff, some of which might be the garbage we don't want. The choice
is between tight and unbending versus dynamic and less trustworthy.
The goal is to strike the right balance.
It is possible for a protocol to do what DNS does and also have
secure updates. But the DNS as it is in the RFCs, lacks a real good
foundation for extension. We can do something, but we will probably
never get to the final goal.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the NANOG