Re: "Re: a fun new tool from us... & 'Today's occurances' "

["Paul D. Robertson" <proberts () clark net>]

On Wed, 28 Apr 1999, Kaptain wrote:

> > FWIW, ns1.pbi.net and ns2.pbi.net show the same address, that's a no-no.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Paul, pardon my ignorance, but why is this a no-no.  Wouldn't you want any
> authoritative sources to show the same address for the same location?
> Maybe I'm just missing somethin...

The whole idea of requiring (at least) two authoritative nameservers for a 
zone instead of one is so that if there's a server or network failure, the 
zone doesn't disappear off the net.  Both servers should be on completely 
different networks, let alone different machines, let alone at different 
addresses.

If this were kosher, then the requirement to have two nameservers for a 
zone would be lifted.  It seems that pbi.net, pacbell.net, and the 
reverse zones all live on this same single nameserver on a single 
ethernet interface, talk about apparent single points of failure (assuming 
that it's not behind distributed director - but even then it's served from a 
single autonomous system in a single advertisement.) 

Why even give it two names?  It would *appear* that the second name was 
added to get around the requirement for having two nameservers.  I'd 
_hope_ that's not true, and I'd _hope_ that someone with a clue were 
building out scalable redundant infrastructure for high-speed networks, 
but it doesn't _seem_ to be the case.  If I was their customer, I'd be 
making phone calls.

It's bad enough that it's an apparant bastardization of the requirement 
for two authoritative nameservers, were I an attacker, this type of single 
point of failure is something that I'd be looking closely at, but 
Murphy of "Murphy's law" is more likely to cause trouble here.  If it's 
behind something like Distributed Director, and they're privately peering with
or colo'd in a place privately peering with several tier-1's, then it *might* 
be ok.  I can't imagine it would hurt them to advertise a second 
authoritative server on a different network though.

When I build out infrastructure like nameservers, I *want* redundancy, at 
least two boxes, on two networks, advertised from two different AS', 
located at two different facilities, using two different providers with 
two different wireline carriers...  I probably don't have anywhere near 
the number of users that US West has.

 Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280