Re: "Re: a fun new tool from us... & 'Today's occurances' "

Paul D. Robertson (probertsclark.net)
Wed, 28 Apr 1999 22:29:45 -0400 (EDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Robert Graham: "Re: Ipfwadm"
• Previous message: Larry Chin: "Re: sendmail on Gauntlet"
• In reply to: Bowden, Kevin: "sendmail on Gauntlet"
• Next in thread: pmsac: "Re: "Re: a fun new tool from us... & 'Today's occurances' ""
• Reply: pmsac: "Re: "Re: a fun new tool from us... & 'Today's occurances' ""
• Reply: Philip S Holt, Security Engineer / Network Engineer: ""Who else picked this one up?""

On Wed, 28 Apr 1999, Kaptain wrote:

> > FWIW, ns1.pbi.net and ns2.pbi.net show the same address, that's a no-no.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Paul, pardon my ignorance, but why is this a no-no. Wouldn't you want any
> authoritative sources to show the same address for the same location?
> Maybe I'm just missing somethin...

The whole idea of requiring (at least) two authoritative nameservers for a
zone instead of one is so that if there's a server or network failure, the
zone doesn't disappear off the net. Both servers should be on completely
different networks, let alone different machines, let alone at different
addresses.

If this were kosher, then the requirement to have two nameservers for a
zone would be lifted. It seems that pbi.net, pacbell.net, and the
reverse zones all live on this same single nameserver on a single
ethernet interface, talk about apparent single points of failure (assuming
that it's not behind distributed director - but even then it's served from a
single autonomous system in a single advertisement.)

Why even give it two names? It would *appear* that the second name was
added to get around the requirement for having two nameservers. I'd
_hope_ that's not true, and I'd _hope_ that someone with a clue were
building out scalable redundant infrastructure for high-speed networks,
but it doesn't _seem_ to be the case. If I was their customer, I'd be
making phone calls.

It's bad enough that it's an apparant bastardization of the requirement
for two authoritative nameservers, were I an attacker, this type of single
point of failure is something that I'd be looking closely at, but
Murphy of "Murphy's law" is more likely to cause trouble here. If it's
behind something like Distributed Director, and they're privately peering with
or colo'd in a place privately peering with several tier-1's, then it *might*
be ok. I can't imagine it would hurt them to advertise a second
authoritative server on a different network though.

When I build out infrastructure like nameservers, I *want* redundancy, at
least two boxes, on two networks, advertised from two different AS',
located at two different facilities, using two different providers with
two different wireline carriers... I probably don't have anywhere near
the number of users that US West has.

 Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
                                                                     PSB#9280

• Next message: Robert Graham: "Re: Ipfwadm"
• Previous message: Larry Chin: "Re: sendmail on Gauntlet"
• In reply to: Bowden, Kevin: "sendmail on Gauntlet"
• Next in thread: pmsac: "Re: "Re: a fun new tool from us... & 'Today's occurances' ""
• Reply: pmsac: "Re: "Re: a fun new tool from us... & 'Today's occurances' ""
• Reply: Philip S Holt, Security Engineer / Network Engineer: ""Who else picked this one up?""

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:23 CDT