[192160] in North American Network Operators' Group
Re: Dyn DDoS this AM?
daemon@ATHENA.MIT.EDU (=?utf-8?B?TcOlbnM=?= Nilsson)
Fri Oct 21 19:27:09 2016
X-Original-To: nanog@nanog.org
Resent-From: =?utf-8?B?TcOlbnM=?= Nilsson <mansaxel@besserwisser.org>
Resent-To: nanog@nanog.org
Date: Sat, 22 Oct 2016 01:19:57 +0200
From: =?utf-8?B?TcOlbnM=?= Nilsson <mansaxel@besserwisser.org>
To: David Birdsong <david@imgix.com>
In-Reply-To: <CAOMvUQc0eDVa=UUhUQOZbbyfQYk--oTumO8p_TE3NUMH--RnKQ@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
--65ImJOski3p8EhYV
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 =
Quoting David Birdsong (david@imgix.com):
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy@psg.com> wrote:
>=20
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.
> >
> > randy
>=20
> I'd love to hear how others are handling the overhead of managing two dns
> providers. Every time we brainstorm on it, we see it as blackhole of eng
> effort WRT to keeping them in sync and and then waiting for TTLs to cut an
> entire delegation over.
The fault is giving up the primary for an API connection. Sure, it is
tempting. We do, however, need to push the "application-integrated"
DNS vendors harder. They need to give their customers more choice in
how the DNS is populated.=20
They also very much need to let people with above-mentioned
"application-integrated" needs add third party DNS providers in the mix.
This diversity capability is what makes DNS resilient. Monocultures have
suboptimal survivability in the long run.
Adding DNS providers when you control the primary is completely
painless. With EDNS0 there's lots of room for insanely large NS RRSETs.=20
Also, do not fall in the "short TTL for service agility" trap.=20
Besides, what Randy wrote.=20
--=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Hold the MAYO & pass the COSMIC AWARENESS ...
--65ImJOski3p8EhYV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJYCqKcAAoJEA4LceDT9hu02xAP/2PxG99XQYujhbcXvOPN6Zhe
4E5Jppgb17mm/HrCP/V788X/9axW+0n04FLSIRH0ea5T2+0SSytomm8jpDM27WfN
w9NGQ0jugCdKeBwl+5C5P66k2TOAtPOeenCCJSjtBlxc6O52545ZNqPYnoxoJ+LQ
xVtU+bDrvmO+JLmho/UOau1J9jh4Qb6hbrL0ryOHfOjZ6NVxPpUZyCNOxZkZbR1t
/u7frvyMC+RpfE0QfBmEObGRFJEkxtZzKoLx5Ye/ThBln3xXDY2bipDhYZ2453gw
ZiLH9DlfUVlC/bMB0q28Q6G8Obo+x29QIzt8+AGtxp6yuMgYjOiMpC1Dy8uvN7qD
jZDt7c5l9YfMRFscKid3p9VhB53IPXAYMylcPXx9Ke0aQksR6wbMDl3/B6Ksj7Dn
RdE/XdeiPUi1qzIkQMrkMf9SWt2A7LX50jAv/f6Af6kvMOVT5iWMYXfZgj/mGBXP
a8INPgXEQMo/X8cr7wG1bnLCAblnr30/IJWYKrMnVDAr3W3Pm3WdT4GLsHZEU1ae
k6TZR6gTigS67Fz5v6aQCiVf2IPGgBCeYr9kCHclycC8akRoklvKmVgmBZ5hDSv1
cxVV/dZhg1t1kLKG8K8K7VEfKOCLBDbLRThD5uzLIeyHTXm4UfgY5IMsuoNIuT8J
smrTPulh0ZHt11Q/yYWw
=/IaY
-----END PGP SIGNATURE-----
--65ImJOski3p8EhYV--
