fw at deneb.enyo.de
Sun Dec 14 18:38:38 UTC 2014
* Roland Dobbins:
> While it sounds good on phosphor, the concept of code diversity is so
> abstract, compared to the significant operational challenges and
> associated security challenges of operating separate systems
> performing the same functions (sort of), but differently, that any
> potential benefit is generally outweighed by the negative impact to
> security posture of said challenges.
In particular, running different implementations behind a load
balancer on the same public IP address can break EDNS detection by
resolvers, and crafted queries sent to a resolver can make data
unavailable to that resolver (until a timeout occurs).
More information about the dns-operations