[106723] in North American Network Operators' Group
RE: maybe a dumb idea on how to fix the dns problems i don't know....
daemon@ATHENA.MIT.EDU (Darden, Patrick S.)
Mon Aug 11 08:51:04 2008
Date: Mon, 11 Aug 2008 08:50:14 -0400
In-Reply-To: <48A032AF.5020709@karnaugh.za.net>
From: "Darden, Patrick S." <darden@armc.org>
To: "Colin Alston" <karnaugh@karnaugh.za.net>, "Joe Greco" <jgreco@ns.sol.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
I think Colin just said everything I said, but in 1/10'th the words.
And he posted before me. Drats.
--Patrick Darden
-----Original Message-----
From: Colin Alston [mailto:karnaugh@karnaugh.za.net]
Sent: Monday, August 11, 2008 8:38 AM
To: Joe Greco
Cc: nanog@merit.edu
Subject: Re: maybe a dumb idea on how to fix the dns problems i don't
know....
Joe Greco wrote:
>> Unix machines set up by anyone with half a brain run a local caching
>> server, and use forwarders. IE, the nameserver process can establish =
a
>> persistent TCP connection to its trusted forwarders, if we just let =
it.
>=20
> Organizations often choose not to do this because doing so involves =
more
> risk and more things to update when the next vulnerability appears. =
In
> many cases, you are suggesting additional complexity and management=20
> requirements. A hosting company, for example, might have 20 racks of
> machines with 40 machines each, which is 800 servers. If half of =
those
> are UNIX, then you're talking about 402 nameservers instead of just 2. =
=20
[Customers] <--/UDP/--> [DNS Cache] <--/TCP/--> [DNS servers]
Not so?
Of course, one shouldn't let the rest of the internet touch your DNS=20
Cache query interface... but that's just obvious.
I mentioned this a while ago though, so I demand credit ;P Also, I think =
there is probably an IETF DNS WG list where this fits on topic (I have=20
no idea what it may be though).
