In a message written on Mon, Aug 11, 2008 at 11:39:25AM -0400, Jay R. Ashworth wrote:
Everyone seems to continue asking "why can poisoning overwrite already cached answer" and no one seems to be answering, and, unless I'm a moron (which is not impossible), that's the crux of this issue.
Let's say you query FOO.COM, and it says "My servers are A, B, and C." So you cache A, B, and C and go on your merry way. Now, before the TTL expires the data center with B and C in it gets hit by a tornado. The FOO.COM admin quickly stands up two new servers in a new data center, and updates FOO.COM to be servers A, D, and E. So you go back and ask for "newname.foo.com" from A, by random chance. A sends you back "it's 1.2.3.4, and A, D, and E know all about it.". What you're advocating is that the server go, humm, that's not what I got the first time and keep using A, B, and C, for which B and C may no longer be authortative, or worse in this example, are completly offline. It would then wait until the TTL expires to get the same data. That's not to say there aren't possibly other checks or rechecks that could be done, but in the vast majority of day to day cases when someone properly gives you additional information it is useful. Authorities are updated all the time. There are thousands of these cache overwrites with new, more up to date info every day. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/