Re: "Re: a fun new tool from us... & 'Today's occurances' "

[pmsac <pmsac () camoes rnl ist utl pt>]

On Wed, 28 Apr 1999, Paul D. Robertson wrote:

> On Wed, 28 Apr 1999, Kaptain wrote:
>
> > > FWIW, ns1.pbi.net and ns2.pbi.net show the same address, that's a no-no.
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > Paul, pardon my ignorance, but why is this a no-no.  Wouldn't you want any
> > authoritative sources to show the same address for the same location?
> > Maybe I'm just missing somethin...

        A typical case of magic: hands faster than the eyes.
>  ;; ADDITIONAL SECTION:
>  ns1.pbi.net.            1d23h56m40s IN A  206.13.28.11
>  ns2.pbi.net.            1d23h56m40s IN A  206.13.29.11

        They do not, in fact, show the same address. 28 != 29.
        Altough I agree with the follow up, there are exceptions.
        Small businesses do not care having only one ns on their end:
        if their net goes down, there's no point in resolving IPs for
        machines that are down (or unreacheable). Just my 0.02$

> The whole idea of requiring (at least) two authoritative nameservers for a 
> zone instead of one is so that if there's a server or network failure, the 
> zone doesn't disappear off the net.  Both servers should be on completely 
> different networks, let alone different machines, let alone at different 
> addresses.
>
> If this were kosher, then the requirement to have two nameservers for a 
> zone would be lifted.  It seems that pbi.net, pacbell.net, and the 
> reverse zones all live on this same single nameserver on a single 
> ethernet interface, talk about apparent single points of failure (assuming 
> that it's not behind distributed director - but even then it's served from a 
> single autonomous system in a single advertisement.) 
>
> Why even give it two names?  It would *appear* that the second name was 
> added to get around the requirement for having two nameservers.  I'd 
> _hope_ that's not true, and I'd _hope_ that someone with a clue were 
> building out scalable redundant infrastructure for high-speed networks, 
> but it doesn't _seem_ to be the case.  If I was their customer, I'd be 
> making phone calls.
>
> It's bad enough that it's an apparant bastardization of the requirement 
> for two authoritative nameservers, were I an attacker, this type of single 
> point of failure is something that I'd be looking closely at, but 
> Murphy of "Murphy's law" is more likely to cause trouble here.  If it's 
> behind something like Distributed Director, and they're privately peering with
> or colo'd in a place privately peering with several tier-1's, then it *might* 
> be ok.  I can't imagine it would hurt them to advertise a second 
> authoritative server on a different network though.
>
> When I build out infrastructure like nameservers, I *want* redundancy, at 
> least two boxes, on two networks, advertised from two different AS', 
> located at two different facilities, using two different providers with 
> two different wireline carriers...  I probably don't have anywhere near 
> the number of users that US West has.
>
>  Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> proberts () clark net      which may have no basis whatsoever in fact."
>                                                                      PSB#9280


        --
        Cavaca, P.
        pmsac () camoes rnl ist utl pt