[Sysadmins] Eircom DNS
paul at jakma.org
Wed Jul 8 22:41:34 IST 2009
On Wed, 8 Jul 2009, James Raftery wrote:
> Timely updates to root hints.
Why does that need end-user expertise?
Pretty much everyone gets their root hints updates the same way they
get their TZ updates and other software fixes - via (semi-)?automated
software update mechanisms. Just like:
> In the very near future timely updates to root zone DNSSEC keys,
> other trust anchors (in case root signing doesn't actually happen).
will be handled the same way.
> Well behaved caches also run local zones or otherwise suppress
> outbound queries for private-use/reserved/localhost zones which are
> added to over time. That's just the care and maintenance side of
For reserved/localhost: The OS can install those - in fact, that's
just what Fedora's been doing for ages.
For the rest - an end-user doesn't care and it's irrelevant to a
caching, recursive name-server.
> I was more talking about expertise when things aren't working
> right. If you're running your own resolver there isn't anyone to
> call when your cache is poisoned, your EDNS0 buffer size is causing
> grief, you're shafted by something upstream which blocks UDP
> messages > 512 bytes, mishandles fragments, barfs on pkts with
> CD/AD/DO set, sets TC but doesn't do TCP, or any of the other
> things that go screwy.
I bet you'd have trouble finding any *professional* systems admins
who even know what you're talking about, never mind diagnose problems
> Declan already mentioned the other side of the good hygiene
> argument, that of sparing auth. servers from the thundering herd of
> every end host bashing away for its own set of answers.
a) DNS scales out horizontally pretty well
b) Deploying some extra auth. DNS servers seems a lot cheaper to me
than having a cracker be able to MITM people's sessions to their
banks at the ISP-scale
(exactly what proportion of customers would notice an SSL cert
mismatch is another question, but it's less than 100%..)
With all due respect, I think you're so wrapped up professionally in
the intricacies of DNS that you've lost sight of how trivial and
fire+forget a 'caching-nameserver' package can be. ;)
Paul Jakma paul at jakma.org Key ID: 64A2FF6A
"Well, if you can't believe what you read in a comic book, what *can*
-- Bullwinkle J. Moose
More information about the Sysadmins