[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q-6: May security-aware resolvers cache "Bad" data?

To: Brian Wellington <Brian.Wellington@nominum.com>
Subject: Re: Q-6: May security-aware resolvers cache "Bad" data?
From: "Olaf M. Kolkman" <olaf@ripe.net>
Date: Mon, 3 Mar 2003 12:16:27 +0100
Cc: sra+namedroppers@hactrn.net, namedroppers@ops.ietf.org
In-reply-to: <Pine.LNX.4.50.0302281852120.11062-100000@spratly.wl.nominum.com>
Organization: RIPE NCC
References: <20030228201606.BCF9018EC@thrintun.hactrn.net><Pine.LNX.4.50.0302281517510.11062-100000@spratly.wl.nominum.com><20030301002842.A696E18EC@thrintun.hactrn.net><Pine.LNX.4.50.0302281852120.11062-100000@spratly.wl.nominum.com>

> 
> If that's what you mean, I'd suggest not using the term "negative 
> caching", which is well defined (the caching of a negative response,
> where negative means either the host or type doesn't exist).  I'd use a
> new term, like "failure caching".
> 
> While forbidding failure caching might be going a bit far, caching
> failures is really not a good idea.  It means that if a server receives
> a spoofed response, it will cache the data, and use the cached failure
> as an indication to not try again.  This leads to obvious DoS attacks. 
> Not caching failures has other problems (bandwidth amplification
> attacks), but the ability to spoof a server into caching failure is much
> worse.


Just one comment:

There are two reasons for failure: Crypto failure and Expiration. You
may want to treat them differently.

If you do failure caching (I am not quite convinced you want to) you
want to do that based on local policy and use TTLs that are
relatively short (order 10s of seconds).



--Olaf



--------------------------------------------| Olaf M. Kolkman
                                            | www.ripe.net/disi


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Q-6: May security-aware resolvers cache "Bad" data?
  - From: Rob Austein <sra+namedroppers@hactrn.net>
- Re: Q-6: May security-aware resolvers cache "Bad" data?
  - From: Brian Wellington <Brian.Wellington@nominum.com>
- Re: Q-6: May security-aware resolvers cache "Bad" data?
  - From: Rob Austein <sra+namedroppers@hactrn.net>
- Re: Q-6: May security-aware resolvers cache "Bad" data?
  - From: Brian Wellington <Brian.Wellington@nominum.com>

Prev by Date: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
Next by Date: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
Previous by thread: Re: Q-6: May security-aware resolvers cache "Bad" data?
Next by thread: Re: Q-6: May security-aware resolvers cache "Bad" data?
Index(es):
- Date
- Thread