On 3/27/15 9:48 AM, Warren Kumari wrote:
Joe Abley and myself wrote some Internet Drafts on this.
Requirements for a Mechanism for Remote-Triggered DNS Cache Flushes -
draft-jabley-dnsop-flush-reqs-00
and
A Mechanism for Remote-Triggered DNS Cache Flushes (DNS FLUSH) -
http://tools.ietf.org/html/draft-jabley-dnsop-dns-flush-00
The above is quite elegant. And it does not require some new trust
framework. I can NOTIFY any resolver I wish, and they can check to see
if their cache is current by querying the master server (*before*
flushing, hopefully).
Richard.
Some slides: http://www.ietf.org/proceedings/88/slides/slides-88-dnsop-5.pdf
I eventually got bored and have started writing an out of band thing.
It is basically a cooperative model .
Basically a django app where a domain operator / owner will create an
account and register their domains. The system will confirm domain
ownership (kinda like a CA does (send emails, publish a TXT record,
etc)).
When something goes wrong, the domain operator logs in and requests a
cache flush.
The system then publishes (using pubsubhubbub) a signed cache flush request.
Resolvers will run a (very) small daemon that listens for pubsub
messages, validates them and then runs e.g rndc flush $domain.
Domain owners have an incentive to do this to recover from Oopses.
Resolver operators have less of an incentive, but I think many will
still be willing to do this -- it protects their users, removes
operational annoyance, etc. The message format, etc will all be
published, so resolver operators can either just install the (to be
provided) daemon, or roll their own.
I cannot remember Geoff's numbers, but we need <100 of hte largest
resolvers to get >85% of users.
W
On Fri, Mar 27, 2015 at 10:48 AM, Mike Jones <[email protected]> wrote:
Every couple of months someone posts on a selection of industry
mailing lists that something has happened and can everyone please
flush their DNS caches for mywebsite.com. Often someone follows up the
discussion by suggesting some kind of automated system, which results
in a mention of opendns/googles flush pages, there is a little more
suggestion that a community flush system would be useful, then the
thread fizzles out.
I hereby propose an automated cache flush mechanism. I have no idea
what such a protocol should look like, however support for it probably
needs to be built in to standard DNS software. BIND needs a setting
that can tell it to register with "cacheflushservice.net" which will
result in the "cacheflushservice.net" server sending out a request to
flush google.com to all registered servers whenever I ask them to
flush google.com for me.
Comments? Ideas? Does someone want to make a slightly more formal
proposal for what such a protocol should look like?
- Mike Jones
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
