Re: [knot-dns-users] minimal responses (was: Re: Knot DNS 2.0.1 patch release)

Hey Robert, "occasionally" useful, yes. As everything it's a compromise. RFC2181 ranks data based on trust level, but that doesn't reflect the correctness of the data as I've seen delegations broken in authoritative data and vice versa. A resolver has to deal with both cases unfortunately, and evaluates all possible options before giving up and be wary of what to accept it cache at the same time. NS in the authority section is really extra data and shouldn't be cached, as it gives the attacker a tool to joust valid NSs out of cache with spoofed ones much more easily. The real problem is that people want DNS to be decentralised when it works and centralised when they make a mistake. This could be solved by providing feed of "purge requests" indexed by time, so the resolvers could poll it and automatically flush part of its cache. It is a glaringly similar problem to RPZ feeds which were adopted really quickly, so I trust it's tractable. Do you know about any efforts going in this direction? Marek On 2 September 2015 at 19:17, Robert Edmonds <edmonds(a)debian.org> wrote: