Dyn DDoS this AM?

Måns Nilsson mansaxel at besserwisser.org
Fri Oct 21 23:19:57 UTC 2016


Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 Quoting David Birdsong (david at imgix.com):
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy at psg.com> wrote:
> 
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.
> >
> > randy
> 
> I'd love to hear how others are handling the overhead of managing two dns
> providers. Every time we brainstorm on it, we see it as blackhole of eng
> effort WRT to keeping them in sync and and then waiting for TTLs to cut an
> entire delegation over.

The fault is giving up the primary for an API connection. Sure, it is
tempting. We do, however, need to push the "application-integrated"
DNS vendors harder. They need to give their customers more choice in
how the DNS is populated. 

They also very much need to let people with above-mentioned
"application-integrated" needs add third party DNS providers in the mix.
This diversity capability is what makes DNS resilient. Monocultures have
suboptimal survivability in the long run.

Adding DNS providers when you control the primary is completely
painless. With EDNS0 there's lots of room for insanely large NS RRSETs. 

Also, do not fall in the "short TTL for service agility" trap. 

Besides, what Randy wrote. 

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Hold the MAYO & pass the COSMIC AWARENESS ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161022/aa3a91c2/attachment.pgp>


More information about the NANOG mailing list