* Mark Allman: > The Domain Name System (DNS) is a critical component of the Internet > infrastructure that has many security vulnerabilities. In particular, > shared DNS resolvers are a notorious security weak spot in the system. > We propose an unorthodox approach for tackling vulnerabilities in > shared DNS resolvers: removing shared DNS resolvers entirely and > leaving recursive resolution to the clients.
This is a bit over the top. I've suggested multiple times that one possible way to make DNS cache poisoning less attractive is to cache only records which are stable over multiple upstream responses, and limit the time-to-live not just in seconds, but also in client responses. Expiry in terms of client responses does not cause a cache expiration, but a new upstream query once the record is needed again. If it the new response matches what is currently in the cache, double the new client response time-to-live count from the previous starting value. If not, start again at the default low value (perhaps even 1). Doing this for infrastructure records is a bit tricky, but I'm sure something can be worked out. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
