[dns-operations] How Stack Overflow plans to survive the next DNS attack
Mark Andrews
marka at isc.org
Wed Jan 11 20:51:27 UTC 2017
In message <20170111143520.GF6344 at mx2.yitter.info>, Andrew Sullivan writes:
> On Wed, Jan 11, 2017 at 09:28:36AM -0500, Jared Mauch wrote:
> > > On Jan 11, 2017, at 8:08 AM, Tony Finch <dot at dotat.at> wrote:
>
> > > NOTIFY fixed this problem 20 years ago.
> >
> > I generally agree, but there is some nuance here, eg: if I want to reset my
> > serial, NOTIFY is of no help.
>
> Right, and quite apart from the other issues you noted, NOTIFY can get
> lost,
So can SOA / IXFR queries. In practice they get through most of
the time and if you have a transfer mesh lost notifies are generally
not a big deal.
> and NOTIFY does not actually provide a confirmation that it was
> received
Actually you have to acknowledge reception of a NOTIFY so yes you do
get confirmation. You should also be getting retries from the master
to the slave.
> or that the subsequent transaction happened. So NOTIFY is
> not a push, it's a "please pull" request. The difference is subtle,
> but in an environment where people are using 30s TTLs in an effort to
> steer traffic the difference may be important. (That IXFR-only never
> got standardized is another problem for the same class of people.)
IXFR-only is a hack to deal with multiple deltas being consolidated
into a single delta and pulling from different sources when you do
that. It may save some bytes some of the time but results in extra
traffic at other times. Removing / disabling the consolidation
code would actually be the better thing to do. IXFR-only is
also less reliable as it requires manually flipping data sources.
Mark
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list