Firewall Wizards mailing list archives
Re: "Re: a fun new tool from us... & 'Today's occurances' "
From: pmsac <pmsac () camoes rnl ist utl pt>
Date: Thu, 29 Apr 1999 19:13:50 +0100 (WET DST)
On Wed, 28 Apr 1999, Paul D. Robertson wrote:
On Wed, 28 Apr 1999, Kaptain wrote:FWIW, ns1.pbi.net and ns2.pbi.net show the same address, that's a no-no.^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Paul, pardon my ignorance, but why is this a no-no. Wouldn't you want any authoritative sources to show the same address for the same location? Maybe I'm just missing somethin...
A typical case of magic: hands faster than the eyes.
;; ADDITIONAL SECTION: ns1.pbi.net. 1d23h56m40s IN A 206.13.28.11 ns2.pbi.net. 1d23h56m40s IN A 206.13.29.11
They do not, in fact, show the same address. 28 != 29. Altough I agree with the follow up, there are exceptions. Small businesses do not care having only one ns on their end: if their net goes down, there's no point in resolving IPs for machines that are down (or unreacheable). Just my 0.02$
The whole idea of requiring (at least) two authoritative nameservers for a zone instead of one is so that if there's a server or network failure, the zone doesn't disappear off the net. Both servers should be on completely different networks, let alone different machines, let alone at different addresses. If this were kosher, then the requirement to have two nameservers for a zone would be lifted. It seems that pbi.net, pacbell.net, and the reverse zones all live on this same single nameserver on a single ethernet interface, talk about apparent single points of failure (assuming that it's not behind distributed director - but even then it's served from a single autonomous system in a single advertisement.) Why even give it two names? It would *appear* that the second name was added to get around the requirement for having two nameservers. I'd _hope_ that's not true, and I'd _hope_ that someone with a clue were building out scalable redundant infrastructure for high-speed networks, but it doesn't _seem_ to be the case. If I was their customer, I'd be making phone calls. It's bad enough that it's an apparant bastardization of the requirement for two authoritative nameservers, were I an attacker, this type of single point of failure is something that I'd be looking closely at, but Murphy of "Murphy's law" is more likely to cause trouble here. If it's behind something like Distributed Director, and they're privately peering with or colo'd in a place privately peering with several tier-1's, then it *might* be ok. I can't imagine it would hurt them to advertise a second authoritative server on a different network though. When I build out infrastructure like nameservers, I *want* redundancy, at least two boxes, on two networks, advertised from two different AS', located at two different facilities, using two different providers with two different wireline carriers... I probably don't have anywhere near the number of users that US West has. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
-- Cavaca, P. pmsac () camoes rnl ist utl pt
Current thread:
- a fun new tool from us... Marcus J. Ranum (Apr 08)
- Re: a fun new tool from us... C. Harald Koch (Apr 10)
- Re: a fun new tool from us... Jonathan Rozes (Apr 14)
- Message not available
- Re: a fun new tool from us... Christoph Schneeberger (Apr 15)
- Re: a fun new tool from us... C. Harald Koch (Apr 10)
- Re: Port 5767 mht (Apr 14)
- "Re: a fun new tool from us... & 'Today's occurances' " Philip S Holt, Security Engineer / Network Engineer (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Kaptain (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " pmsac (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " carson (Apr 30)
- "Who else picked this one up?" Philip S Holt, Security Engineer / Network Engineer (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- BO, netbus and so on... Marcelo M. Sosa Lugones (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Tin Le (Apr 30)
- <Possible follow-ups>
- RE: a fun new tool from us... Shivdasani, Meenoo (Apr 13)
- Re: a fun new tool from us... Bill_Royds (Apr 13)