[bind10-dev] About resolver Negative Cache Design
Shane Kerr
shane at isc.org
Fri Feb 18 10:56:43 UTC 2011
Likun,
On Fri, 2011-02-18 at 18:40 +0800, Likun Zhang wrote:
> > 2. Keep only one cache and make special process for NXDOMAIN and
> > NOERROR_NODATA.
> > This can keep current implementation almost intact except some special
> > processing for NXDOMAIN/NOERROR responses.
> > But this design cannot make NXDOMAIN info shared between different types for
> > the same domain name because the cache is keyed with (DOMAIN NAME, TYPE).
> >
>
> Another problem for second solution is: you can't control the size of
> negative cache(do we need to do it?), it will enable some bad guy to
> make the cache full of negative answers. For my understanding is: the
> main job of resolver is to tell people about the information of one
> domain, not the domain doesn't exist.
About these points only:
I don't think your average administrator will want to set the size for
negative and normal caches separately. In fact, 99.999% of
administrators will be confused and annoyed by having such an option.
How much space should I use for this? What if I get it wrong? And so
on.
I am not saying that it should not be possible to change the value if we
have a separate cache, just that it is not necessarily a real benefit to
most users. (Although I am sure students and people in DNS-OARC will
love to produce research papers on varying this value!)
As for filling up the cache with negative answers... an attacker can
also easily fill up the cache with "junk" answers, for example by
creating an authoritative server which always answers A queries with a
random IP. In fact this is an even easier target, because the bad guy
might be able to use TXT lookups and get large responses - it takes a
lot fewer 3000 byte TXT cache entries than 300 byte negative SOA entries
to bloat memory. :)
--
Shane
More information about the bind10-dev
mailing list