Zope.org DNS ( was Re: [ZWeb] http://namespaces.zope.org/zope )

Justizin justizin at siggraph.org
Tue Sep 26 12:20:49 EDT 2006


On 9/26/06, Jens Vagelpohl <jens at dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 18:00, Justizin wrote:
> >> Do you know how DNS works? Slaves don't just ask for a transfer
> >> willy-
> >> nilly. Slaves are known to the primary and they get told when to ask.
> >>
> >
> > I'm not sure this is correct.  We should investigate before insulting
> > each other's intelligence.
>
> This is exactly how it has correctly worked for me for years working
> with bind-based nameservers. You can always set up "rogue"
> secondaries that purport to serve zope.org, which then would have to
> be allowed to manually pull zone data, but what would be the point of
> that..?
>

Okay, that's not what I'm suggesting.  Whether you run it by hand or
not, with BIND, you would use named-xfer, which executes an AXFR
request.

So, if the master has to know about the slaves to *tell* them to grab
the zone, then it knows about them to *allow* an AXFR, no?

Why are we arguing this?  It's pretty clear at this point that
ZoneEdit can handle this need.  I wasn't familiar with it off-hand.

What I *do* know is that I can't pull an AXFR query of google.com and
get the entire Zone, not from my local machine, which is not an
approved DNS slave.

>
> > It's a sad logical fallacy for you to state that because you have
> > never seen this problem, it does not exist.  I spent nearly three
> > years as an engineer at one of the world's largest provider of managed
> > internet services, and I can tell you that NS.RACKSPACE.COM and
> > NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater
> > DDoS attack.
> >
> > This was in a datacenter with 9GB/s of bandwidth via multiple OC-48
> > connections.
>
> Sorry, I don't buy your argument. First of all, big companies like
> Rackspace will always be an attractive target. We're talking about
> one piddling open source project here. Secondly, you're omitting the
> need for economy/sanity. Rackspace has a strong economical need to be
> up 24/7. Yes, you could put 20 secondaries into the zope.org DNS
> structure, but what is the point? You will never need that capacity
> in your life. 3 total is plenty. With 20 secondaries you also have 20
> cats to herd, meaning 20 people who own and manage those secondaries.
>

(a) ZoneEdit probably has more zones than Rackspace, which is
classified in Texas as a Small Business.  ZoneEdit is well known
enough that a handful of people on this small mailing list know of it.
 People don't quite always target Rackspace, they often targetted
specific Rackspace customers.  Someone might target ZoneEdit.

(b) None of this matters because three of us offered to host slaves!
Why are you arguing against doing something you volunteered to do?

And why do you think I am trying to "sell" an argument?  I'm telling
you - it was my job to run a big DNS infrastructure.  Judging by
"ns12.zoneedit.com" and "ns10.zoneedit.com" which have been allocated
to the zope.org zone I set up, ZoneEdit is running a similar magnitude
of infrastructure.

On the other side of the coin, btw, if ZoneEdit is small fries in
comparison to Rackspace, maybe that's a good reason not to rely on
them as the only nameservers for zope.org.  If their provider goes out
for a few hours, we want zope.org to be available to the world.

I think you are exagerrating the extent to which my suggestion makes
this complicated.

My suggestion: "Since several of us volunteer to donate DNS services
to zope.org, let's all provide services, as DNS servers are known,
from time to time, for various reasons, to go down."

If you disagree with that, then please, by all means, explain why.
Otherwise, let go.  We're all very smart.  Let's make things happen.

-- 
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/


More information about the Zope-web mailing list