Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

[Damian Menscher via NANOG <nanog () nanog org>]

On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews <marka () isc org> wrote:

> In message <9C2ACA5A-755D-4FCF-8491-745A1F9111BA () puck nether net>, Jared
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you
> can h=
> > ave implementation diversity on the backside.=20
> >
> > I can send an example config out later for people. You can balance to
> bind N=
> > SD and others all at the same time :-) just move your SPoF
>
> Unless the same client hits the same server all the time this is a
> bad idea.

But tying a set of clients to the same backend puts them all in the same
failure domain....

Resolvers actually track capabilities of servers as it is the only
> way to get answers due to firewalls dropping legitimate packet and
> protocol misimplementations.  Add to that different vendors /
> versions supporting different extensions randomly flipping between
> vendors / versions is frought with danger unless you take extreme
> care.


Out of curiosity, do any resolvers other than BIND do this?  I ask because
BIND has a reputation for having "too many" features, and I wonder if this
is one of them.

Damian

> > On Aug 4, 2015, at 10:03 AM, Jay Ashworth <jra () baylink com> wrote:
> > > Everyone got BIND updated?
> http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-c
> > ould-hamstring-huge-swaths-of-internet/
> > > --
> > > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka () isc org