Re: Dyn DDoS this AM?

[Måns Nilsson <mansaxel () besserwisser org>]

Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 Quoting David Birdsong (david () imgix com):
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy () psg com> wrote:
>
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.
> >
> > randy
>
> I'd love to hear how others are handling the overhead of managing two dns
> providers. Every time we brainstorm on it, we see it as blackhole of eng
> effort WRT to keeping them in sync and and then waiting for TTLs to cut an
> entire delegation over.

The fault is giving up the primary for an API connection. Sure, it is
tempting. We do, however, need to push the "application-integrated"
DNS vendors harder. They need to give their customers more choice in
how the DNS is populated. 

They also very much need to let people with above-mentioned
"application-integrated" needs add third party DNS providers in the mix.
This diversity capability is what makes DNS resilient. Monocultures have
suboptimal survivability in the long run.

Adding DNS providers when you control the primary is completely
painless. With EDNS0 there's lots of room for insanely large NS RRSETs. 

Also, do not fall in the "short TTL for service agility" trap. 

Besides, what Randy wrote. 

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
Hold the MAYO & pass the COSMIC AWARENESS ...

Attachment: signature.asc
Description: Digital signature