[bind10-dev] About resolver Negative Cache Design
Shane Kerr
shane at isc.org
Tue Feb 22 13:58:30 UTC 2011
Likun,
On Fri, 2011-02-18 at 19:17 +0800, Likun Zhang wrote:
> > As for filling up the cache with negative answers... an attacker can
> > also easily fill up the cache with "junk" answers, for example by
> > creating an authoritative server which always answers A queries with a
> > random IP. In fact this is an even easier target, because the bad guy
> > might be able to use TXT lookups and get large responses - it takes a
> > lot fewer 3000 byte TXT cache entries than 300 byte negative SOA entries
> > to bloat memory. :)
>
> Should we do some thing to avoid these too long message being cached? :)
I know you're kidding, but... no. Although of course some day a
researcher may find a useful way to tweak cache policy based on those
ideas... :)
--
Shane
More information about the bind10-dev
mailing list