On 15 Jun 2004, at 21:28, Stewart, William C (Bill), RTSLS wrote:
Daniel Golding suggested that the problem was that many folks are sharing Akamai's magic DNS algorithms. This doesn't appear to be a problem with magic algorithms - it appears that they're sharing the _servers_, and that the reported attack on the servers means that it doesn't matter how magic the algorithms are. Good luck to them on developing a longer-term workaround for the next attack.
Workarounds and defences already exist, and have been in use for a long time. The chance of catastrophic, systematic operator error (e.g. rdist gone wild, RIF-frenzied, root-wielding, caffeine-crazed sysadmins run amok) problems can be avoided by including nameservers managed by different organisations in the NS set. Distributed (and non-distributed) denial of service attacks can be mitigated using dispersed anycast nameserver deployment. Network partition/isolation events (e.g. under sea cable failures which isolate an economy) can be mitigated by strategic location of (anycast instances of) locally-relevant nameservers. Operational routing and instrumentation challenges with managing a dispersed anycast deployment can be mitigated by including non-anycast nameservers in the NS set alongside the anycast nameservers. Failures due to ancillary equipment failure can be avoided by eliminating single points of failure (e.g. wide geographic disperson of nameservers into topologically-distant infrastructure). Failures due to political interference can be avoided by deploying nameservers in complementary regions of governance. Failures or vulnerabilities in individual DNS implementations can be mitigated by ensuring that not all nameservers in the NS set run the same DNS software (or similar software, developed from a common code base). Failures or vulnerabilities in ancillary software (routers, switches, operating systems, etc) can be mitigated by ensuring that different nameservers rely on different brands of routers, switches and operating systems. Failures in master servers can be mitigated by having several of them; simultaneous failure of all master servers can be managed to some degree using appropriate SOA timers, so that slave servers provide coverage while master servers are brought back into service. Different styles of attack can be mitigated by different DNS hosting strategies. A robustly-hosted zone will have an NS set that exhibits several or all of these approaches (and others too). The hosting of the root zone provides guidance, here. Joe