[dns-operations] How Stack Overflow plans to survive the next DNS attack

Mark Andrews marka at isc.org
Wed Jan 11 20:51:27 UTC 2017


In message <20170111143520.GF6344 at mx2.yitter.info>, Andrew Sullivan writes:
> On Wed, Jan 11, 2017 at 09:28:36AM -0500, Jared Mauch wrote:
> > > On Jan 11, 2017, at 8:08 AM, Tony Finch <dot at dotat.at> wrote:
> 
> > > NOTIFY fixed this problem 20 years ago.
> > 
> > I generally agree, but there is some nuance here, eg: if I want to reset my
> > serial, NOTIFY is of no help.
> 
> Right, and quite apart from the other issues you noted, NOTIFY can get
> lost,

So can SOA / IXFR queries.  In practice they get through most of
the time and if you have a transfer mesh lost notifies are generally
not a big deal.

> and NOTIFY does not actually provide a confirmation that it was
> received

Actually you have to acknowledge reception of a NOTIFY so yes you do
get confirmation.  You should also be getting retries from the master
to the slave.

> or that the subsequent transaction happened.  So NOTIFY is
> not a push, it's a "please pull" request.  The difference is subtle,
> but in an environment where people are using 30s TTLs in an effort to
> steer traffic the difference may be important.  (That IXFR-only never
> got standardized is another problem for the same class of people.)

IXFR-only is a hack to deal with multiple deltas being consolidated
into a single delta and pulling from different sources when you do
that.  It may save some bytes some of the time but results in extra
traffic at other times.  Removing / disabling the consolidation
code would actually be the better thing to do.  IXFR-only is
also less reliable as it requires manually flipping data sources.

Mark

> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list