On Mon, Mar 09, 2026 at 05:53:29PM +0000, Mukund Sivaraman wrote:
> Some negative-only eviction code has been tried in some resolver
> implementations to workaround random subdomain attacks, but such
> approaches have been ineffective and cause other problems. For example,
> a way for attackers to fill up the cache is to query for unknown types
> and cause NODATA responses to be cached - so a hack was introduced to
> evict negative entries of unknown types in preference. When SVCB/HTTPS
> RRtypes came along, web browsers implemented support for them much more
> quickly before deployed resolvers supported them. Queries for HTTPS
> caused TYPE65 entries to be cached that were evicted in preference as
> types unknown to the resolver, and the cache was ineffective to prevent
> resolutions.
Sorry I mis-remembered this. This didn't have anything to do with
unknown types. It was just negative-first eviction that caused issues
with HTTPS. Many zones did not have HTTPS records configured, and
browsers always queried them. So they resulted in NODATA responses, were
cached, immediately evicted because the cache was always at full
capacity. And browsers kept querying for them and queries continuously
arrived for popular names, whose NODATA negative entries were already
evicted from cache and they caused resolutions continuously.
Mukund
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
