Re: Hosting Another IHE's Web Services in the Event of a Disaster

["Clark, Joseph K" <ClarkJK () COFC EDU>]

The whole ttl question reminded me of a Slashdot article awhile back,
http://ask.slashdot.org/article.pl?sid=05/04/18/198259

Thanks,
Joseph Clark
Senior Network Engineer
IT, College of Charleston
(843) 953-3846 | clarkjk () cofc edu


-----Original Message-----
From: Harry Flowers [mailto:flowers () MEMPHIS EDU] 
Sent: Monday, October 23, 2006 10:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Hosting Another IHE's Web Services in the Event
of a Disaster

You don't have to use your ISP as your DNS backup.  In fact, if the
problem is *at* your ISP, you'd be better off with someone who has a
different ISP, especially if we're talking about getting to a server at
another site that also didn't depend on that ISP.

Pretty much anyone can be a secondary... You want it to be someone you
have a degree of trust with, because they have the potential to change
at least their instance of your DNS records, which can be used for "man
in the middle" attacks. (See, we got back to security. ;-)

About DNS TTL's, you can set them per record, so you could set up a
handful of critical ones where you have a backup at another site to be
lower than the default for your site.  That way, there's only an
increased load for that handful of address lookups (though, given the
nature of what we're trying to accomplish, they may be the most heavily
used ones).
-- 
Harry Flowers
Manager, Systems Software
Information Technology Division
The University of Memphis
(901) 678-3650

> -----Original Message-----
> From: John Kaftan [mailto:jkaftan () UTICA EDU] 
> Sent: Monday, October 23, 2006 7:45 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Hosting Another IHE's Web Services in 
> the Event of a Disaster
>
> I tried to get a secondary DNS setup offsite but our DNS guy 
> shot it down.
> He said that the Tier1 DNS providers force an extended TTL to 
> save traffic
> and cycles on their DNS servers.  Therefore no matter what 
> you set your TTL
> to some folks will not be able to get to your backup site for 
> an extended
> period of time.
>
> Has anyone experienced this?  
>
> I am looking to do this anyway in the near future as we are 
> going to switch
> ISPs soon and I want to ease the pain of re-numbering.
>
>
>
> -----Original Message-----
> From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
> Sent: Friday, October 20, 2006 6:48 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Hosting Another IHE's Web Services in 
> the Event of a
> Disaster
>
> On Fri, 20 Oct 2006 16:22:15 CDT, Harry Flowers said:
> > We're doing that with another university in our state system that's
> > about 200 miles away.  To answer the additional question 
> about DNS, we
> > have a secondary at yet a different university in a 
> different state.  At
> > the minimum, you'd want a secondary at your host site if 
> nowhere else.
> > In the event of an emergency where none of your services 
> were available,
> > you'd need to have someone edit the secondary manually to 
> change the IP
> > address for you primary web server.
>
> The part people who do this *always* manage to forget is to 
> publish the DNS
> entries with a low enough TTL to matter - if 
> www.yourschool.edu has a 5-day
> TTL
> on it, it's likely going to be several days before some places notice.