On Tuesday, 11 February 2014 4:28 AM, Frank Denis wrote:
The shorter the TTL of a record is, the easier a cache can be poisoned.
It is when a record is NOT cached that spoofed authoritative replies
can be sent and get a chance to reach the resolver before the
As soon as a valid response is received, dnscache invalidates the state,
discarding further responses, even if these are valid.