[dns-operations] knot-dns

Roland Dobbins rdobbins at arbor.net
Sun Dec 14 23:05:26 UTC 2014

On 15 Dec 2014, at 5:47, David Conrad wrote:

> A monoculture invites catastrophic failure. We've seen this over and 
> over again.

We've seen heterogenous environments fail catastrophically, too.

I've never run into a situation in which a monoculture would've made 
things any worse.

> Sure, there are a wide variety of other possible failure points, but 
> it would be simply insane to (say) have everyone run the exact same 
> code base would mean that everyone is subject to the same 
> Packet-of-Death.

I hate to break it to you, but a) packet-of-death vulnerabilities are 
rare, b) operators ought to have mechanisms in place to filter them when 
they do show up (*not* silly 'IPS'), and c) gross incompetence with a 
heterogeneous software base is no different than gross incompetence with 
a monoculture - except that it's more certain.

Having worked for a major vendor of telecommunications gear which is 
quite dominant in its space, and having dealt with packet-of-death 
issues from said vendor's perspective, I'm here to tell you that all 
this preaching about avoiding monoculture is a sideshow compared to the 
real issues faced every day in the trenches.

If we could ever get to the point where a monoculture was the biggest 
challenge we face, we'd be a lot better off than we are today.

> Are you seriously arguing that it is better to have your entire 
> infrastructure subject to a PoD because it's a bit more challenging to 
> run different software bases?

See above.  And 'a bit more challenging' is a significant 
understatement, especially at scale.

Worrying about software monoculture at this juncture is like worrying 
about urban planning when you don't even have indoor plumbing.

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list