Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 Quoting David Birdsong (david@imgix.com):
On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <randy@psg.com> wrote:
anyone who relies on a single dns provider is just asking for stuff such as this.
randy
I'd love to hear how others are handling the overhead of managing two dns providers. Every time we brainstorm on it, we see it as blackhole of eng effort WRT to keeping them in sync and and then waiting for TTLs to cut an entire delegation over.
The fault is giving up the primary for an API connection. Sure, it is tempting. We do, however, need to push the "application-integrated" DNS vendors harder. They need to give their customers more choice in how the DNS is populated. They also very much need to let people with above-mentioned "application-integrated" needs add third party DNS providers in the mix. This diversity capability is what makes DNS resilient. Monocultures have suboptimal survivability in the long run. Adding DNS providers when you control the primary is completely painless. With EDNS0 there's lots of room for insanely large NS RRSETs. Also, do not fall in the "short TTL for service agility" trap. Besides, what Randy wrote. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hold the MAYO & pass the COSMIC AWARENESS ...