[106731] in North American Network Operators' Group
Re: Why *can* cached DNS replies be overwritten?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Mon Aug 11 12:00:51 2008
Date: Mon, 11 Aug 2008 11:59:16 -0400
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <20080811153925.GP8391@cgi.jachomes.com>
Errors-To: nanog-bounces@nanog.org
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Mon, Aug 11, 2008 at 11:39:25AM -0400, Jay R. Ashwo=
rth wrote:
> Everyone seems to continue asking "why can poisoning overwrite already
> cached answer" and no one seems to be answering, and, unless I'm a
> moron (which is not impossible), that's the crux of this issue.
Let's say you query FOO.COM, and it says "My servers are A, B, and
C." So you cache A, B, and C and go on your merry way.
Now, before the TTL expires the data center with B and C in it gets
hit by a tornado. The FOO.COM admin quickly stands up two new
servers in a new data center, and updates FOO.COM to be servers A,
D, and E. So you go back and ask for "newname.foo.com" from A, by
random chance. A sends you back "it's 1.2.3.4, and A, D, and E
know all about it.".
What you're advocating is that the server go, humm, that's not what
I got the first time and keep using A, B, and C, for which B and C
may no longer be authortative, or worse in this example, are completly
offline. It would then wait until the TTL expires to get the same
data.
That's not to say there aren't possibly other checks or rechecks
that could be done, but in the vast majority of day to day cases
when someone properly gives you additional information it is useful.
Authorities are updated all the time. There are thousands of these
cache overwrites with new, more up to date info every day.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFIoGHRNh6mMG5yMTYRAnbRAJ0chlRMEIWCSUeh2MPunny5TyJGzACeL9FK
QuaAkEPGHXmJ9Px69LiHHbk=
=kR56
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
