[dns-operations] knot-dns

David Conrad drc at virtualized.org
Mon Dec 15 02:45:16 UTC 2014


On Dec 14, 2014, at 3:05 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
> I've never run into a situation in which a monoculture would've made things any worse.

?? 

Two words: Microsoft Windows.

> a) packet-of-death vulnerabilities are rare,

Sure, but they happen. For example:

- the resolver bug we're talking about
- pretty much any one of https://kb.isc.org/article/AA-00913/74/BIND-9-Security-Vulnerability-Matrix.html (not to pick on BIND, other DNS servers have DoS vulnerabilities as well of course)
- http://www.eweek.com/c/a/IT-Infrastructure/Bug-in-Juniper-Router-Firmware-Update-Causes-Massive-Internet-Outage-709180/
- http://blog.krisk.org/2013/02/packets-of-death.html
- etc.

Presumably you too can google "packet of death".

The point is that it is a risk that is easily mitigated by having diversity in your infrastructure.

> b) operators ought to have mechanisms in place to filter them when they do show up (*not* silly 'IPS'),

Does the term "closing the barn door after the horses have fled" mean anything to you?  

> c) gross incompetence with a heterogeneous software base is no different than gross incompetence with a monoculture - except that it's more certain.

Sorry, where is gross incompetence being demonstrated in this particular case?

> If we could ever get to the point where a monoculture was the biggest challenge we face, we'd be a lot better off than we are today.

Are you really arguing that we should not have diversity in the Internet infrastructure because there are a bunch of problems diversity in the infrastructure won't fix?

> And 'a bit more challenging' is a significant understatement, especially at scale.

Too bad no one has come up with something like Puppet, Chef, Ansible, etc., to help manage infrastructure configuration at scale.

> Worrying about software monoculture at this juncture is like worrying about urban planning when you don't even have indoor plumbing.

Software diversity is a tool that network administrators use to improve resiliency in their infrastructure.  I agree it is not a silver bullet but if I was building out critical infrastructure like (oh say) a root server or a resolver cloud that my customers depend on, I would want to minimize the risk that my infrastructure was vulnerable to a single bug.

I am honestly surprised you're arguing against this.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141214/dec42d4b/attachment.sig>


More information about the dns-operations mailing list