DNS/GDN/featureについて、ここに記述してください。
bind-user MLにこういう意見を見た。
This is just my opinion, but this is not a bug. It's the side effect of a desirable feature called caching.
Yea, we can brainstorm how to mitigate the effect, but in order to mitigate a problem, we have to know that there is a problem(revoked or bad domain).
1) How would we(as dns server operators) know when a domain name is revoked? (Gee sounds like what the US government wants to do and it seems the community does not like that idea and I agree it's a bad idea to put the US DHS in charge of that list.)
2) Restart or flush our DNS cache frequently? Let's assume the A record TTL is 24 hrs. And if we decide to flush the cache once a day? That leaves a whole bunch of time that we are open to this and not much remaining time for the record in cache. I fail to see the benefit here. The idea to flush just the 'bad' domain fails due to #1, IMHO.
3) Maybe I don't understand DNS cache and it's relationship with DNSSEC yet. But if my server caches a good answer (verified via DNSSEC), why would my server recheck the DNSSEC records until the TTL has elapsed? My thinking(and I could be quite wrong here) is that my server will cache a good verified answer and DNSSEC does not seem to help here. Please let me know where I am wrong here if I am.
Lyle Giese LCR Computer Services, Inc.
On 09.02.12 11:43, Lyle Giese wrote: >This is just my opinion, but this is not a bug. It's the side effect >of a desirable feature called caching.
It's a design flaw - you cache something forever, even if case you should not do it. The cache time is given and we should not expand it, for valid reasons.
>Yea, we can brainstorm how to mitigate the effect, but in order to >mitigate a problem, we have to know that there is a problem(revoked >or bad domain).
I think that the described draft seems to solve the problem.