[98537] in North American Network Operators' Group
Re: Industry best practices (was Re: large organization nameservers
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sat Aug 11 21:05:32 2007
Date: Sat, 11 Aug 2007 21:04:32 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <g3vebot2cg.fsf@sa.vix.com>
Errors-To: owner-nanog@merit.edu
Followups probably should go to the dnsops mailing list.
I got tired of things and went back to the original question, and put
together my list of what the "minimum" packets needed for full DNS
performance on the modern Internet.
It is the minimum, based on the security principle deny everything, allow
only what is needed. But "needed" is performance based. So it means not
relying on fallbacks, timeouts or hoping no one complains. It does not
include packets needed for diagnostic or troubleshooting information.
It is based on the "modern" Internet so does not included very deprecated
packets like Source Quench or unimplemented functions like broadcast DNS
queries.
It does include current Internet practices for EDNS, Notify, global DNS
load balancers and error handling I've seen in recent, i.e. less than 10
years old, DNS, Router and OS software.
I didn't included TOS/DSCP and some military options, mainly because I'm
not sure what "modern" military networks are currently using. If you are
using TOS/DSCP or military options, there are some things you will need to
add.
<http://www.donelan.com/dnsacl.html>
<http://www.donelan.com/dnsacl-min-cisco.html>
