DNS pulling BGP routes?

Jean St-Laurent jean at ddostest.me
Thu Oct 7 17:02:58 UTC 2021

Well said Bill. 

I agree with you about having all your tech/adm records + registrar on the same NS... especially for your OOB domain. 

Probably what killed them. They lost access to their fb-00b-net-mgmt.io cool dns name network. It just went from bad to worst when they realized that they also lost physical access to the building.

We all learned a lot and we're still learning.

-----Original Message-----
From: Bill Woodcock <woody at pch.net> 
Sent: October 7, 2021 12:45 PM
To: Jean St-Laurent <jean at ddostest.me>
Cc: Masataka Ohta <mohta at necom830.hpcl.titech.ac.jp>; Bjørn Mork <bjorn at mork.no>; nanog at nanog.org
Subject: Re: DNS pulling BGP routes?

This was superstition, brought forward from 1992 by the folks who were yelling “damned kids get offa my lawn” at the time.

There’s no reason to include a unicast address in an NS set in the 21st century, and plenty of reasons not to (since it’ll be very difficult to load-balance with the rest of the servers).

But one should NEVER NEVER depend on a single administrative or technical authority for all your NS records.  That’s what shot Facebook in the foot, they were trying to do it all themselves, so when they shot themselves in the foot, they only had the one foot, and nothing left to stand on.  Whereas other folks shoot themselves in the foot all the time, and nobody notices, because they paid attention to the spirit of RFC 2182.


More information about the NANOG mailing list