On Wed, 6 Aug 2014, Casey Deccio wrote:
Why does google dns seems so inefficient at caching?Google's implementation seems to recursively query for and cache ANY based on the entire set of records for the same name, rather than on a per-record basis. nohats.ca includes an NSEC3PARAM record with TTL 0. This results in zero caching of ANY queries.
I can confirm that changing the signed zone and setting the NSEC3PARAM TTL to 86400 instantly reduced the stream of ANY queries from a few hunderd qps to a few qps. (My apologies to whomever is the victim of this attack - I guess google's cache will be more effectively DDoSing you now via the open resolvers) So I guess it's worth poking the recursive resolver people about. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
