On 2/9/24 12:39, Mark Andrews wrote:
I admit here we most often work with internal only forwarders, which are not accessible from outer internet. So those won't be under attack, at least directed from uncontrolled outside. For internal organization resolver it is somehow easier to find source of attack and make them stopped. Something not possible on public internet. And of course, if auth server becomes unreachable, it is up to resolver to try alternative servers known. If they do not respond as well, then yes, stale cache is the only thing protecting us from serving SERVFAILs.Do the analysis where the resolver is under attack or the auth server with the best rtt is stale.
But I am not sure how that contradicts what I have written before. Can you elaborate a bit more, please?
-- Petr Menšík Software Engineer, RHEL Red Hat,https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users