[Sysadmins] Eircom DNS

Colm MacCárthaigh colm at allcosts.net
Thu Jul 9 22:30:39 IST 2009


On Thu, Jul 9, 2009 at 10:07 PM, Declan Kelly<stdlib at groov.ie> wrote:
>> I bet you'd have trouble finding any *professional* systems admins
>> who even know what you're talking about, never mind diagnose problems
>> with them.
>
> Any *good* professional admin will make it his or her business to find
> out what you're talking about, and estimate how much work is involved in
> diagnosing and/or fixing the problems.

That reminds me of the turing halting problem. It's pretty hard to
estimate how much time will be involved in diagnosing a problem
without also actually diagnosing that problem. It's taken me literally
months to diagnose some very complex problems with DNS software, and
then minutes for other problems.

Imagine a problem like "sometimes customers get the wrong answer, but
only the n-1000th
time they query, after the delegated NS record expires in their cache"
- these exist.

> It does that better than most Internet services do, but that doesn't mean that it has to be scaled out.

DNS is pretty fault tolerant, one good mitigation for most end-user
problems with running your own cache is to have DHCP hand out multiple
DNS servers, and let the clients fall back to using the service
providers DNS service.

> Having every end-user home and office computer running their own DNS
> resolver is not going to make it less likely that someone can do bad
> things - attacks on authoritative nameservers are more effective than
> going after the resolvers of any large consumer ISP, for example.

I don't agree with that, and you haven't given any evidence of it. In
general, caches are vulnerable to a far greater range of attacks than
authoritive name servers. In general, authoritative name servers are
more carefully maintained. So I don't see why it should be true.

-- 
Colm



More information about the Sysadmins mailing list