On Sun, 4 Aug 2002, Chris Wedgwood wrote:
On Sun, Aug 04, 2002 at 06:59:16PM +1200, Andy Linton wrote:
You could run this on a PC based server with a decent amount of memory and no spinning disk for a few thousand dollars.
Hardware is cheap, other issues to consider are:
(1) what happens if it doesn't work --- who do I contact with a clue to deal with this?
I guess I'm thinking about the type of *large* organisation we both used to work for who spend many, many thousands of dollars on "carrier class" solutions - you know routers with dual this and that, SDH rings, fibre backup paths on trans Pacific fibres and who install router hardware in Australia and the west coast of the US. Presumably they've already found someone with a clue or could pay someone to get one on this reasonably important issue. Surely the worst scenario is you get that nameserver switched off and plug in a replacement.
(2) what happens if someone gets access to this... could/should leaking DNS data be considering a security problem?
What happens if someone gets to the existing servers...
But if you've arranged to have your web server off-site or you're getting your mail delivered to one of the big ISPs mail server instead of exposing your own, you're toast.
If you do this, why host your own DNS though?
Well, I can see that but we both know that there are many Layer 8 problems out there that need fixed. It's a clue issue.
And I'd rather have someone resolve my domain name and find the network is down when they try to use the address rather then get no response from the DNS and think "looks like that domain name is bogus".
How do you get "looks like that domain name is bogus"? Can you show me an example of such a domain? You should get NS records from the parent zone at the very least (ignoring Network Solution's squatting/bastardisation).
If I'm using a browser and I try www.xxx.net and there are no nameservers responding that know about the zone won't I get a "name not found - check the name and try again" message. If I try to mail fred(a)bloggs.net and no A or MX record gets returned I'll get a bounce from the mail. I might run a "dig ns bloggs.net" but one or two folk out there will just shrug and think that the address is broken.
And at least that way mail will get queued in the system for a while until you sort out the network problems.
Mail will get queued if your can't contact your name-servers. If not, your MTA is badly broken and you will have plenty of problems in the real world.
I'm not talking about my MTA - I'm thinking of the case above.
It's interesting to do a 'dig ns xxxx' for most of the large ISPs in NZ. Most have their name servers apparently on the same segment.
Yes, I check lionra.gen.nz before I posted my previous reply, but alas, I can't ridicule over that :)
Of course you'd be better looking at lionra.net.nz (:-)
Perhaps they all have multiple DNS servers located globally and are using ANYCAST to make this transparent to us all but somehow I doubt it.
If they are in the same prefix, this is pointless... consider global routing problems, they usually affect a prefix or not... not partially, so if you have all your DNS eggs in the same basket/prefix, you loose.
Sorry. I left out the <irony> </irony> tags on the above and the (:-).
I'm happy to be shot down in flames on this one as long as whoever does it publishes all the details here so that others can learn. (:-)
Oh, I know for a *fact* many sites do indeed have their DNS servers (and email, and http, etc) all in the same network. I even pointed this out to people and was told things like "yes, but we have HSRP" or "it's good enough". Who am I to tell someone else how to ru(i)n their own network? :)
That's two of us, Chris! - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog