[dns-operations] How Stack Overflow plans to survive the next DNS attack

Andrew Sullivan ajs at anvilwalrusden.com
Wed Jan 11 21:02:36 UTC 2017


On Thu, Jan 12, 2017 at 07:51:27AM +1100, Mark Andrews wrote:
> So can SOA / IXFR queries.  In practice they get through most of
> the time and if you have a transfer mesh lost notifies are generally
> not a big deal.

SOA queries certainly can.  IXFR queries can depending on how you send
them (there are people who think that all transfers need to be TCP
only.  I seem to recall that discussion was exactly one of the things
about AXFR that held up doing the IXFR clarifications).  "Generally
not a big deal" is not really the way that operators of the sort we're
talking about can afford.

None of this is evidence that preferring some facility other than zone
transfers is a losing proposition in terms of actually solving
problems that humans have.

> IXFR-only is a hack to deal with multiple deltas being consolidated
> into a single delta and pulling from different sources when you do
> that.  It may save some bytes some of the time but results in extra
> traffic at other times.

The interesting thing about the Internet is that what is a "hack" for
one person is a "nice answer" for someone else.  As near as I can
tell, the reason ixfr-only failed to get standardized is the usual
IETF tradition that some noisy people insisted that someone else's use
case was the wrong problem to have.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list