netsec-sig - [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?
Subject: Internet2 Network Security SIG
List archive
- From: Bill Owens <>
- To: Steven Wallace <>
- Cc: "" <>, NTAC <>, Kim Milford <>, "" <>
- Subject: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?
- Date: Fri, 3 Nov 2017 01:44:38 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:eQ2qTRdoomfM1jyTNSqFkhSolGMj4u6mDksu8pMizoh2WeGdxcW8Zh7h7PlgxGXEQZ/co6odzbGH4+a4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5Yr5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyxPDJ2hYYsTAeQPPuhYoIv8p1QSohSzHhOjCP/qyjJSmnP6wa833uI8Gg/GxgwgGNcOvWzJodX0MKcSVf2+wrDGzDrdafNWwir25Y/PchEvv/6MW6lwfNHXyUgvDAPKkE+QqYr7MDOJzOgNtHKb7+V5WO+plmUppQZxoj21ycctjInEnoMVxU7Y9SV32oo1Ise4SEF9bNW5E5VQrzmXO5VsTc8+Xm1lvTs2xqAbtZO+cigHx4grywLaZvyJbYeF7R3uWeOULDp5mX5pZaqziwuu/UWj0OHwS9e43ExEoyZYiNXAq34A2hLV58OaUPVy5F2h1iyK1w3L6uFLP0Q0la3DJpA53rM+kYYfvVraEiHrgEv6kbaadkI/9ee28ejnZajmpoOHOI9zlwH+NLkhltanAeQiNQgOQ3aU9vig1L3i+k35Rq9GjvorkqnFtJDaIsMbpq2jDwBJ1YYj7g6zDzag0NsGgXkKNExJdwibg4T0PlzCPe30Aeq6jlSinzpn2+zKM7jvAprTIXXOn7LscLN85kJB1QY/1dVf6IhVCrEFLvLzQEjxtNnAAx8+PQ273eDnCM5m24MYWWOPGbGWMLnUsVCW+uIjOe6MZJUauDrlMfgq++bujWMlmV8aZaSpxoUYZ2ylHvR8IkWZfXrtjs4PEGcFpQc+SO3qiEaeUT5IeXq+RaM85jcnCI24F4fDQJ6igKCf0CuhAJJZe31GAEiWEXj0b4WER+sMaCWKL89njjwLT6SuRpQl1RGvrw/616FnIvTO9i0Zs5LjyMZ65/fVlR4s6Tx4Ed6R3H+QQGFpzSs0QGoNwK1hrEo19V6H1aFzjrQMDsdMz/JUFAo2KMiP4fZ9DoXYWwbFNvCWRVC9CoGhHjw3Vfo30sQDeUBwB5OllB+VjHniOKMci7HeXM98yanbxXWkYp8lk3s=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
It sounds as though this would solve many problems in your isolated campus scenario, but I wonder about the side effects on providers who load balance by returning different DNS results. It’s not uncommon to see 60-second TTLs in records from cloud providers,
sometimes even shorter. I think it is unlikely that the server behind whatever A record BIND decided to stick with would simply go away, but it is possible that server would be overwhelmed by the continuous load from your campus. It might be worth a discussion
with your critical cloud providers, if they’re willing to discuss that ‘secret sauce’.
Bill.
On Nov 2, 2017, at 11:00 AM, Steven Wallace <> wrote:
|
- [Security-WG] DNS Serving Stale to the rescue?, Steven Wallace, 11/02/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Bill Owens, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Akbar Kara, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Dave Diller, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Brad Fleming, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
- Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, David Farmer, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Brad Fleming, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Jeff Bartig, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Dave Diller, 11/03/2017
- Re: [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Paul Howell, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Steven Wallace, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Akbar Kara, 11/03/2017
- [Security-WG] Re: [NTAC] DNS Serving Stale to the rescue?, Bill Owens, 11/03/2017
Archive powered by MHonArc 2.6.19.