Vladimír Čunát wrote:
> On 20/11/2025 17.30, Duane Powers wrote:
>> I have submitted a new individual draft proposing the EXPIRE opcode,
>> which allows an authenticated authoritative operator to request
>> immediate deletion of a specific RRset from a resolver cache.
> I'm afraid that this would even more encourage behavior that is
detrimental
> to the DNS ecosystem.
I concur.
I don't think it will get deployed widely enough to be useful, and since it
requires authorization, few who need it will actually have the right
permissions!
> I.e. we break our DNS, but since we can fix 8.8.8.8 and a few others, it's
> just fine. I believe that this kind of cache-flushing should be very
> exceptional for absolute emergency, not something with an automated
protocol.
What I think might be useful would be an option to a query that would ask for
some kind of revalidation. This would be an obvious DoS vector, so it's
really a gentle
request to a recursive cache to add the QNAME so some kind of queue of work
to restart the process from empty. An authoritative resolver owner, who
goes through some (partial) breakage might use this in order to see new
queries again.
(This does raise the possibility that the goal is to create a new query which
a poisoned reply can impersonate. But. DNSSEC.)
(I feel like maybe this exists already?)
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
