[Sysadmins] Eircom DNS

Paul Jakma paul at jakma.org
Wed Jul 8 22:41:34 IST 2009


On Wed, 8 Jul 2009, James Raftery wrote:

> Timely updates to root hints.

Why does that need end-user expertise?

Pretty much everyone gets their root hints updates the same way they 
get their TZ updates and other software fixes - via (semi-)?automated 
software update mechanisms. Just like:

> In the very near future timely updates to root zone DNSSEC keys, 
> other trust anchors (in case root signing doesn't actually happen).

will be handled the same way.

> Well behaved caches also run local zones or otherwise suppress 
> outbound queries for private-use/reserved/localhost zones which are 
> added to over time. That's just the care and maintenance side of 
> things.

For reserved/localhost: The OS can install those - in fact, that's 
just what Fedora's been doing for ages.

For the rest - an end-user doesn't care and it's irrelevant to a 
caching, recursive name-server.

> I was more talking about expertise when things aren't working 
> right. If you're running your own resolver there isn't anyone to 
> call when your cache is poisoned, your EDNS0 buffer size is causing 
> grief, you're shafted by something upstream which blocks UDP 
> messages > 512 bytes, mishandles fragments, barfs on pkts with 
> CD/AD/DO set, sets TC but doesn't do TCP, or any of the other 
> things that go screwy.

I bet you'd have trouble finding any *professional* systems admins 
who even know what you're talking about, never mind diagnose problems 
with them.

> Declan already mentioned the other side of the good hygiene 
> argument, that of sparing auth. servers from the thundering herd of 
> every end host bashing away for its own set of answers.

a) DNS scales out horizontally pretty well

b) Deploying some extra auth. DNS servers seems a lot cheaper to me
    than having a cracker be able to MITM people's sessions to their
    banks at the ISP-scale

    (exactly what proportion of customers would notice an SSL cert
     mismatch is another question, but it's less than 100%..)

With all due respect, I think you're so wrapped up professionally in 
the intricacies of DNS that you've lost sight of how trivial and 
fire+forget a 'caching-nameserver' package can be. ;)

regards,
-- 
Paul Jakma	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
"Well, if you can't believe what you read in a comic book, what *can*
you believe?!"
-- Bullwinkle J. Moose



More information about the Sysadmins mailing list