[dns-operations] How Stack Overflow plans to survive the next DNS attack

Mark Jeftovic markjr at easydns.com
Wed Jan 11 17:25:07 UTC 2017

You can push updates and new zones to external platforms like Route 53,
Google Cloud DNS, Linode, Digital Ocean to name a few that we already do
this for.

Some of these (Route53) don't even support AXFR/IXFR so this is the only
way to really integrate. But it's a true push, complete with status
results. Some of these take some massaging, for example when using one
system + Route 53 you need to account for the fact that your zone will
have different SOAs from each nameserver set (although I think it might
be possible to sync your serials, I'd have to check).

I know that will make some DNS purists puke in their mouths just a
little bit. But when one of the nameserver sets is down hard - but you
have another one happily serving up your zones, people become more
generally tolerant.

- mark

Andrew Sullivan wrote:
> On Wed, Jan 11, 2017 at 09:28:36AM -0500, Jared Mauch wrote:
>>> On Jan 11, 2017, at 8:08 AM, Tony Finch <dot at dotat.at> wrote:
>>> NOTIFY fixed this problem 20 years ago.
>> I generally agree, but there is some nuance here, eg: if I want to reset my
>> serial, NOTIFY is of no help.
> Right, and quite apart from the other issues you noted, NOTIFY can get
> lost, and NOTIFY does not actually provide a confirmation that it was
> received or that the subsequent transaction happened.  So NOTIFY is
> not a push, it's a "please pull" request.  The difference is subtle,
> but in an environment where people are using 30s TTLs in an effort to
> steer traffic the difference may be important.  (That IXFR-only never
> got standardized is another problem for the same class of people.)
> Best regards,
> A

Mark Jeftovic <markjr at easydns.com>
Founder & CEO, easyDNS Technologies Inc.

More information about the dns-operations mailing list