[182909] in North American Network Operators' Group
Re: Exploits start against flaw that could hamstring huge swaths of
daemon@ATHENA.MIT.EDU (Damian Menscher via NANOG)
Tue Aug 4 12:49:44 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <20150804163918.338973422640@rock.dv.isc.org>
Date: Tue, 4 Aug 2015 09:49:21 -0700
To: Mark Andrews <marka@isc.org>
From: Damian Menscher via NANOG <nanog@nanog.org>
Reply-To: Damian Menscher <damian@google.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews <marka@isc.org> wrote:
> In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA@puck.nether.net>, Jared
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you
> can h=
> > ave implementation diversity on the backside.=20
> >
> > I can send an example config out later for people. You can balance to
> bind N=
> > SD and others all at the same time :-) just move your SPoF
>
> Unless the same client hits the same server all the time this is a
> bad idea.
>
But tying a set of clients to the same backend puts them all in the same
failure domain....
Resolvers actually track capabilities of servers as it is the only
> way to get answers due to firewalls dropping legitimate packet and
> protocol misimplementations. Add to that different vendors /
> versions supporting different extensions randomly flipping between
> vendors / versions is frought with danger unless you take extreme
> care.
Out of curiosity, do any resolvers other than BIND do this? I ask because
BIND has a reputation for having "too many" features, and I wonder if this
is one of them.
Damian
> > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra@baylink.com> wrote:
> > >
> > > Everyone got BIND updated?
> > >
> > >
> >
> http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> > ould-hamstring-huge-swaths-of-internet/
> > > --
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
>
