Re: [dnsext] conclusions drawn in draft-wang-dns-inconsis-ncache-00

["George Barwood" <george.barwood@blueyonder.co.uk>]

I also had a look at the draft.

My reaction is that the way a resolver modifies it's cache in response
to a NXDOMAIN response is not important, since NXDOMAIN
is normally an indication of something wrong, and it's quite pathological
to have domains coming and going.

So I don't think any standards action is required. Resolvers should feel
free to handle NXDOMAINs as they see fit, it's hard to see how
different choices will have any major effect.

I don't think forging NXDOMAIN responses is an issue. This is a mild
DoS attack compared to subsituting a forged valid response.

I do have some opinions on NXDOMAIN TTLs though. 

While the standard specifies the value in the SOA record is to be used,
I think that some administrators may not be properly aware of this use, and so
a resolver could reasonably use a progressive back-off starting from
a fairly low value. say 10 seconds, increasing the TTL by say 1 minute
with each repeated error up to some maximum value. I suggest this may
be a more practical way to recover from administrative errors.
The most common situation is a newly registered domain, where someone
may be keen to try it out, but is not aware of whether the DNS has yet been configured.

Possibly TLD errors should be handled specially - a TLD error is very
unlikely to be resolved in any short time scale, so a high fixed TTL (1 week say)
seems appropriate.

George