[dns-operations] knot-dns

David Conrad drc at virtualized.org
Sun Dec 14 22:47:34 UTC 2014


I'm having a bit of trouble believing this isn't April 1.

On Dec 14, 2014, at 10:38 AM, Florian Weimer <fw at deneb.enyo.de> wrote:
>> While it sounds good on phosphor, the concept of code diversity is so
>> abstract, compared to the significant operational challenges and
>> associated security challenges of operating separate systems
>> performing the same functions (sort of), but differently, that any
>> potential benefit is generally outweighed by the negative impact to
>> security posture of said challenges.

Sorry, this is simply wrong.

A monoculture invites catastrophic failure. We've seen this over and over again.

Sure, there are a wide variety of other possible failure points, but it would be simply insane to (say) have everyone run the exact same code base would mean that everyone is subject to the same Packet-of-Death.

Are you seriously arguing that it is better to have your entire infrastructure subject to a PoD because it's a bit more challenging to run different software bases?

> In particular, running different implementations behind a load
> balancer on the same public IP address can break EDNS detection by
> resolvers, and crafted queries sent to a resolver can make data
> unavailable to that resolver (until a timeout occurs).


If you're running multiple implementations behind a load balancer and one is not following the protocol specifications such that it breaks EDNS detection, the answer is to fix the broken resolver or run a different resolver that responds correctly, not run an identical code base.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141214/8aa807a5/attachment.sig>

More information about the dns-operations mailing list