[dns-operations] How Stack Overflow plans to survive the next DNS attack

Jared Mauch jared at puck.nether.net
Wed Jan 11 14:28:36 UTC 2017

> On Jan 11, 2017, at 8:08 AM, Tony Finch <dot at dotat.at> wrote:
> Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
>> Moreover, because zone transfers work by getting the target server(s) to
>> ask you for the zone, it's not exactly possible to "push" a change
>> through transfer the way it is through DNS Update or an API call.
> NOTIFY fixed this problem 20 years ago.

I generally agree, but there is some nuance here, eg: if I want to reset my
serial, NOTIFY is of no help.

The notify behavior of different servers is sufficiently variant a migration
is problematic, for example:

bind notifies all NS records in a zone, whereas NSD requires you to configure
where to send notifies to outside the zone, and it can’t copy the BIND behavior.

NSD would be more friendly to stealth-masters or stealth-slaves that feed into
the actual servers, but is less friendly in permitting the master IP (or IPs in
the case of dual-stack) to just send or accept a notify.

None of this is fatal, but if you’re not sending notifies to the proper location,
or the destination changes, it’s a few more variables to manage in a migration
making your existing solution more sticky as a result.

(still stumbling through a few details of a bind->NSD migration for my free
secondary service).

- jared

More information about the dns-operations mailing list