Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 Quoting Niels Bakker (niels@bakker.net):
* mansaxel@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]:
Also, do not fall in the "short TTL for service agility" trap.
Several CDNs, Akamai among them, do use short TTLs for this exact reason. Server load is constantly monitored and taken into account when crafting DNS replies.
But the problem is that this trashes caching, and DNS does not work without caches. At least not if you want it to survive when the going gets tough. If we're going to solve this we need to innovate beyond the pathetic CNAME chains that todays managed DNS services make us use, and get truly distributed load-balancing decision-making (which only will work if you give it sensible data; a single CNAME is not sensible data) all the way out in the client application. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Well, I'm INVISIBLE AGAIN ... I might as well pay a visit to the LADIES ROOM ...