[dns-operations] How Stack Overflow plans to survive the next DNS attack

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jan 18 23:05:59 UTC 2017


Hi!

On 11.01.2017 13:37, Andrew Sullivan wrote:
> Hi,
> 
> On Wed, Jan 11, 2017 at 12:20:37PM +0100, Stephane Bortzmeyer wrote:
>> I also note that it is is difficult (too difficult) to have several
>> DNS providers. They don't accept AXFR/IXFR so the customer is
>> locked.
> 
> It is important to note that this is not true of all such providers.
> (My employer, for one, happily speaks [A|I]XFR; they're not alone.)

Indeed, my employer (RcodeZero) too supports AXFR. It seems the have
only reviewed the big cloud providers, which also offer CDN services
(geodns ...) and therefore the master must be with the provider anyways.

> But there are some disadvantages.  Obviously, since the mechanisms for
> all the various DNS tricks is non-standard, such tricks are not
> portable across providers.  Moreover, because zone transfers work by
> getting the target server(s) to ask you for the zone, it's not exactly
> possible to "push" a change through transfer the way it is through DNS
> Update or an API call.

Pushing of course is nice. But you never know how long it takes from the
API accepting the "push" until the changes finally arrive at the
authoritative name server (there was a complain about Cloudflare in the
blog's comments).

We do offer a "retrieve" command on our API which triggers an immediate
AXFR, but if this AXFR fails we do not queue and try again.

regards
Klaus



More information about the dns-operations mailing list