Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?

Subject: Internet2 Network Security SIG

List archive

[Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?


Chronological Thread 
  • From: David Farmer <>
  • To: Bill Owens <>
  • Cc: Steven Wallace <>, "" <>, NTAC <>, Kim Milford <>, "" <>
  • Subject: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?
  • Date: Thu, 2 Nov 2017 22:29:24 -0500
  • Ironport-phdr: 9a23:5CkZ8RytSvg4mtDXCy+O+j09IxM/srCxBDY+r6Qd1OMWIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CR2VBUMZfWSJCDI2hcYUAE/EMMvxEo4TnvVYCsQeyCAuqCejyyjFInHj23agi3uovCw7Gwg0gEM8Tu3rUttr1LqISXv6vzKLVyjjDYelZ2S346IfWaBAsuuyMXbd2ccbL10YgCh7Fg0yWpIf4MT2V0eENvHKa7+pmTe+vinAoqx1/ojS1wccskIbJi4QIwV7H7SV02Js5KNO3RUJhYtOpH4FcuzyeOoZ3WM8uXX1ktSYixrEYpZK2eDIGxZcnyhLFdfCLboiF7gjiWeuVJzpzmWhrd6ilhxmo9Eit0u38Wdew0FZNtidFl8XMuWoU2xzL6sWLUPx9/ka92TqVygDT7+dELVoqmqXGNp4t2r8wlpwNvkTfBiL6hUv7gaCMekgn9eWk8fnrb7Hnq5OGKYN4lgHzPrwrmsOlAOQ4NgYOX3Kc+eS5zLDj81f2QK9PjvIoiKnUq43aJcEdpqKjHQBaz5sj5w6lDzi6yNQYgWUHLFVddRKckYfmJ0zOIOr5Dfejg1WgiTlqx//dM73lA5XNNWTDkKz/cbpn6k5czhYzws5F55JSFL4BPOz/VlXvu9PFEx9qezCzlszmDNE18ZwTX3nHVqiGPaXJmVmZ/e81JeSQIogPt2CuBeIi4qvChGE4lRczdLOs0IFfPH6xBPFrOW2EZHyqj9scRzRZ9jEiRfDn3QXRGQVYYGy/Cudlvmk2
Severing stale DNS entries is by no means ideal.  However, if you can't refresh entries, serving stale info and having the user get a can't reach the server is better option than not answering or basically saying their isn't answer. At least in my opinion.  Because today when partitioned from the Internet a recursive DNS server essentially implodes after about 5 to 10 minutes, because of the back log of attempts to refresh info that the TTL has expired, giving up and serving stale info is a better option.

So for a recursive resolver, I think serving stale info is a better failure mode in general.

That's my 2 cents.
  

On Thu, Nov 2, 2017 at 8:44 PM, Bill Owens <> wrote:
It sounds as though this would solve many problems in your isolated campus scenario, but I wonder about the side effects on providers who load balance by returning different DNS results. It’s not uncommon to see 60-second TTLs in records from cloud providers, sometimes even shorter. I think it is unlikely that the server behind whatever A record BIND decided to stick with would simply go away, but it is possible that server would be overwhelmed by the continuous load from your campus. It might be worth a discussion with your critical cloud providers, if they’re willing to discuss that ‘secret sauce’.

Bill.

On Nov 2, 2017, at 11:00 AM, Steven Wallace <> wrote:

It’s going to get better. BIND 9.12 (currently in beta, GA due out end of year?) supports “serve stale” (see: https://tools.ietf.org/html/draft-tale-dnsop-serve-stale-02). Serving Stale Data to Improve DNS Resiliency - does what you’d expect. If the resolver can’t update a cached entry, it responsed with the its current cached entry. BTW, this would have mitigated the October Dyn outage, which left many in the community without access to Box, PayPal, etc., despite the fact that we had working network paths to these service providers.



--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Archive powered by MHonArc 2.6.19.

Top of Page