Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

• Previous message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Next message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA at puck.nether.net>, Jared Mauch writes:
> I recommend using DNSDIST to balance traffic at a protocol level as you can h=
> ave implementation diversity on the backside.=20
> 
> I can send an example config out later for people. You can balance to bind N=
> SD and others all at the same time :-) just move your SPoF
> 
> Jared Mauch

Unless the same client hits the same server all the time this is a
bad idea.

Resolvers actually track capabilities of servers as it is the only
way to get answers due to firewalls dropping legitimate packet and
protocol misimplementations.  Add to that different vendors /
versions supporting different extensions randomly flipping between
vendors / versions is frought with danger unless you take extreme
care.

> > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra at baylink.com> wrote:
> >
> > Everyone got BIND updated?
> >
> >
> http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> ould-hamstring-huge-swaths-of-internet/
> > --
> > Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Next message (by thread): Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]