Re: Dyn DDoS this AM? - dns

[alvin nanog <nanogml () Mail DDoS-Mitigator net>]

On 10/21/16 at 03:21pm, David Birdsong wrote:
> On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy () psg com> wrote:
> > anyone who relies on a single dns provider is just asking for stuff such
> > as this.

:-)

> I'd love to hear how others are handling the overhead of managing two dns
> providers.

in my view of ( automated ) dns managment:

Only on the one "master" dns server, make your DNS changes, update the 
serial number for example.com changes and reload the new update zone
file ... notifications goes out to all known slave DNS servers ..

For all the other authorized DNS servers, they should all automatically 
update itself ... magic all dns servers are in sync ...

some folks don't like "master" DNS server vs slaves .. i donno why not ..

but, you do have to configure your "master dns server" properly to 
only allow only authorized slaves access to their dns reccords

similarly, slave DNS servers should only update from it's recognized
master dns server

there should be zero isues with managing 2 dns server or 100 dns servers

before downloading new dns info, Man-in-the-Middle tests with OpenSSL 
certs should be done to confirm the other end is in fact who you think
it is that you're going to be sending dns info to or receiving from

c ya
alvin
http://DDoS-Mitigator.net