Hello. On 08/09/2021 11.12, Ruben van Staveren via dns-operations wrote:
should we do more analysis of this phenomenon and even have a dns flag day before even more resolvers and operators are going to implement RFC8198? There might be an issue by deliberately exploiting this and make websites/mail unreachable.
Measuring how much this happens might be nice (or similar problems), but I don't think it will be worth a flag day. Aggressive resolvers have been deployed for years, and it apparently hasn't caused that much trouble.
As for possibility of exploitation... experience (e.g. with F5) shows that some parties just won't fix stuff until there's significant pressure. I'd think that now the "gradient" for this is that operators should deploy aggressive caching instead of delaying, and that will help cleaning up this behavior (which has been non-compliant since RFC 4034+, not since 8198).
--Vladimir | knot-resolver.cz
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
