Dyn DDoS this AM? - dns
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Sat Oct 22 06:16:17 UTC 2016
On 10/21/16 at 03:21pm, David Birdsong wrote:
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy at psg.com> wrote:
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.
:-)
> I'd love to hear how others are handling the overhead of managing two dns
> providers.
in my view of ( automated ) dns managment:
Only on the one "master" dns server, make your DNS changes, update the
serial number for example.com changes and reload the new update zone
file ... notifications goes out to all known slave DNS servers ..
For all the other authorized DNS servers, they should all automatically
update itself ... magic all dns servers are in sync ...
some folks don't like "master" DNS server vs slaves .. i donno why not ..
but, you do have to configure your "master dns server" properly to
only allow only authorized slaves access to their dns reccords
similarly, slave DNS servers should only update from it's recognized
master dns server
there should be zero isues with managing 2 dns server or 100 dns servers
before downloading new dns info, Man-in-the-Middle tests with OpenSSL
certs should be done to confirm the other end is in fact who you think
it is that you're going to be sending dns info to or receiving from
c ya
alvin
http://DDoS-Mitigator.net
More information about the NANOG
mailing list