Home page logo
/

nanog logo nanog mailing list archives

Re: QWest is having some pretty nice DNS issues right now
From: Simon Waters <simonw () zynet net>
Date: Tue, 10 Jan 2006 09:12:55 +0000


On Monday 09 Jan 2006 21:26, Christopher L. Morrow wrote:
On Mon, 9 Jan 2006, Randy Bush wrote:
It seems like maybe that is all too common. Are the 'best practices'
documented for Authoritative DNS somewhere central?

2182

yes, yes.. people who care (a lot) have read this I'm sure... I was aiming
a little lower :) like folks that have enterprise networks :) Or, maybe
even registrars offering 'authoritative dns services' like say 'worldnic'
who had most of their DNS complex shot in the head for 3 straight days :(

It is the old story of ignorance and cost, plus with DNS a "perceived loss of 
control".

In the UK many domains are registered with a couple of the cheapest providers, 
who do not do off network DNS, and in the past one offered non-RFC compliant 
mail forwarding as a bonus. I've seen people switch the DNS part of a hosting 
arrangement to these guys to save about 10 USD a year. Of course people 
competing at those sort of price levels offer practically no service 
component, so even if nothing dreadful happens it still turns into a false 
economy.

It reminds me of the firewall market, when the average punter had no idea how 
to assess the "security" aspects of a firewall, and so firewall vendors ended 
up pushing throughput, and price, as the major selling points. I know people 
who bought firewalls capable of handling 160Mbps of traffic, who still have 
it filtering a 2Mbps Internet connection, badly.

By and large the big ISPs do a good job with DNS, the end users do a terrible 
job. I think once you get to the size where you need a person (or team) doing 
DNS work fulltime, it probably gets a lot easier to do it right.

Perhaps I should dust off my report on the quality of DNS configurations in 
the South West of England, and turn it into a buyers guide?

That said I don't think doing DNS right is easy. I know pretty much exactly 
what my current employer is doing wrong, but these failures to conform to 
best practice aren't as much of a priority as the other things we are doing 
wrong. At least in our case it is done with knowledge of what can (and likely 
will eventually) go wrong.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]