[dns-operations] dns-operationsopting in to stupid DNS tricks

Don Lehman don at lemcc.com
Mon Feb 21 18:05:21 UTC 2011


This is fun... For full disclosure, I work with Patrick at Akamai, but I speak only for myself.

On Feb 21, 2011, at 10:59 AM, Wes Hardaker wrote:

>>>>>> 
> 
> Oh, they do much worse things that simply changing stuff based on where
> you came from.  I actually recently wrote a whole blog entry
> (http://bit.ly/i5UGoA) on how they they're breaking things with the way
> they're (not) doing IPv6 deployment.  The blog entry documents how you
> can get bind to return a SERVFAIL for certain facebook queries [note:
> they seem change *how* they break things regularly and I haven't checked
> the previously seen behaviors again recently]

Not exactly sure who the 'they' is but this thread was discussing CDN's use of DNS to balance traffic and Facebook is not a commercial CDN and I don't think your blog'ed example have anything to do with CDNs. I've seen many examples of folks violating the CNAME an other data rule and seen it cause problems but I don't think you will see that in Akamai owned domains. If you do, you should let us know because we, and our customers, don't like things that don't work. IPv6 deployment is a work-in-progress, and there are a lot of challenges rolling out IPv6, but if you ever see Akamai doing something that breaks DNS please let us know so we can fix it.

> It's obvious to me that there are a large number of institutions that
> will likely not be deploying secure DNS to within their zones because it
> won't let them intentionally break things any longer, be it DNS
> balancing or IPv6-hackery or ...  What we need to do is give them or
> teach them how to use different tools to accomplish their goals.

Here at Akamai, I'm fairly certain, our secure DNS challenges have nothing to do with intentionally breaking anything or sending any answers for which we are not the authority.

> I think anycast scares some places because it gives control over what's
> actually happening to the network.  They'd rather do
> questionably-good-things because they can control the results.

I find it a little amusing that folks that don't seem to like CDNs use of constantly changing DNS think anycast is just fine. When I first worked with anycast we called it IP Hack since it was doing something the protocol wasn't really designed for. 

> 
> -- 
> Wes Hardaker
> Cobham Analytic Solutions

Don Lehman
don at lemcc.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110221/271727d0/attachment.html>


More information about the dns-operations mailing list