[dns-operations] How Stack Overflow plans to survive the next DNS attack

Mark Andrews marka at isc.org
Wed Jan 11 20:32:57 UTC 2017 

In message <CD6F1A02-8B79-4285-B9D3-11CDDDC2D3D2 at puck.nether.net>, Jared Mauch writes:
>
> > On Jan 11, 2017, at 8:08 AM, Tony Finch <dot at dotat.at> wrote:
> >
> > Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> >
> >> Moreover, because zone transfers work by getting the target server(s)
> to
> >> ask you for the zone, it's not exactly possible to "push" a change
> >> through transfer the way it is through DNS Update or an API call.
> >
> > NOTIFY fixed this problem 20 years ago.
> >
>
> I generally agree, but there is some nuance here, eg: if I want to reset
> my serial, NOTIFY is of no help.

You can reset you serial using NOTIFY.  It may take a couple of serial
number bumps but you can do it.  Serial number arithmetic is not that
hard.

> The notify behavior of different servers is sufficiently variant a
> migration is problematic, for example:
>
> bind notifies all NS records in a zone, whereas NSD requires you to
> configure where to send notifies to outside the zone, and it cant copy the BIND
> behavior.

BIND by default sends to all NS except the one that matches the
MNAME.  You can however tell it to send to a configured list.  You
can also tell it to only send to the configured list.

> NSD would be more friendly to stealth-masters or stealth-slaves that feed
> into the actual servers,

No, BIND is equally friendly.

> but is less friendly in permitting the master IP (or
> IPs in the case of dual-stack) to just send or accept a notify.
>
> None of this is fatal, but if youre not sending notifies to the proper
> location, or the destination changes, its a few more variables to manage in a
> migration making your existing solution more sticky as a result.
>
> (still stumbling through a few details of a bind->NSD migration for my
> free secondary service).
>
> - jared
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list