On Fri, Mar 28, 2025 at 02:44:47PM -0400, Paul Wouters <[email protected]> wrote a message of 33 lines which said:
> I reviewed draft-bortzmeyer-dnsop-poisonlicious-00 as I have an > interest in being able to link DNS caches together. Thanks and sorry for the delay to reply. > In any way, this might be tricky in cases of very low TTL, eg > TTL=0. I think it should perhaps only do this for TTL >= some value. I agree. > I think it is important to consider two different use cases. One > where the DNS caches are all under a single administrative > domain. There you can perhaps trust each cache implicitly. But to me > the more interesting case is where you link untrusted caches This second use case was clearly out of scope for the draft, because it is much more complicated and risky, security-wise. > And in that case the receiving DNS resolver should still validate > the data given This would seriously reduce the value of this system. The goal, after all, was to decrease the work of the receiving resolvers. > Nothing is said about using long lived TCP sessions, which it probably should > do. Added. > All in all, I am not yet sure if doing this via the DNS protocol is > the right way, versus a database backend sync (eg redis/valkey). The DNS protocol strong points: * standardized * simple and already implemented in every resolver (At the hackathon we also tested with MQTT.) _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
