[182917] in North American Network Operators' Group
Re: Exploits start against flaw that could hamstring huge swaths of
daemon@ATHENA.MIT.EDU (Joe Abley)
Tue Aug 4 13:49:12 2015
X-Original-To: nanog@nanog.org
From: "Joe Abley" <jabley@hopcount.ca>
To: "Jared Mauch" <jared@puck.nether.net>
Date: Tue, 04 Aug 2015 13:48:56 -0400
In-Reply-To: <9C2ACA5A-755D-4FCF-8491-745A1F9111BA@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Hi Jared,
On 4 Aug 2015, at 12:00, Jared Mauch wrote:
> I recommend using DNSDIST to balance traffic at a protocol level as
> you can have implementation diversity on the backside.
>
> I can send an example config out later for people. You can balance to
> bind NSD and others all at the same time :-) just move your SPoF
As someone who once hosted TLD zones in a way that a query to a
particular nameserver could be answered by either NSD or BIND9, my
advice would be "don't do that". You're setting yourself up for
troubleshooting hell.
You can include different nameservers in the set for a single zone.
Using different software for different nameservers can be sensible.
Using different software for the same nameserver can be a nightmare.
Joe
