Why forwarding is a Bad Thing
Brad Knowles
brad.knowles at skynet.be
Thu Mar 22 19:26:42 UTC 2001
At 7:00 PM +0000 3/22/01, Jim Reid wrote:
> In BIND8.2.3 and BIND9, yes. Modulo the usual RTT smoothing in case a
> faster emerges.
Blech. I was not aware of this. ;-(
> And one central cache beaten on by everything else in the world is a
> wonderful place to spread that infection.
At the very least, it allows you to throw the dice less often,
and risk getting your cache poisoned.
> True, but that's only part of the story. You should have added "and
> get your servers to only query authoritative name servers if at all
> possible".
One recursive caching-only name server that gets poisoned is not
necessarily any better or worse than any other, and so long as it
only ever hands out that answer non-authoritatively, the problem
should be relatively minimized. You can then focus on trying to make
your central caching servers as secure as possible from getting
poisoned, and everyone will benefit as a result.
> You don't. I meant only query authoritative name servers that are
> found by following NS records. Why forward a query to another name
> server for resolution when the forwarding server is perfectly capable
> of resolving the query for itself? Put more simply: what's the point
> of having a dog and barking yourself?
I'll refer you back to my newspaper analogy and checking with the
neighbors before running out to get another copy yourself, quite
possibly unnecessarily.
> Brad> Right, but if you have a large farm of machines and a
> Brad> caching name server running on each of them, simply because
> Brad> of asking similar questions at different times, each of them
> Brad> is guaranteed to build up a slightly different picture of
> Brad> the world than each of the others.
>
> Fine. That's how it should be, shouldn't it?
Nope. Not according to the customers I've had. They saw what we
were providing to them as one big unitary "system", and the absolute
worst possible thing you could do to them was to give them
inconsistent answers to the same question.
Haven't you ever been royally pissed-off when you've got your car
in for repair, and you call up to find out what the status is and how
much it's going to cost you, and you get a different answer from each
person you talk to?
Even if this sort of thing happens relatively rarely, the cost of
small numbers of times that this happens is *way* out of proportion
to the cost to doing everything you can to make sure that your
architecture does everything possible to prevent this from happening
in the first place.
Or haven't you ever been in a company whose stock was a DJIA
component, and where you managed situations by the probability of
something getting put into the Wall Street Journal the next day, and
worse yet, above the fold?
Or maybe you haven't ever gotten direct threats of personal
bodily harm as a result of things that have happened on the systems
you're responsible for managing?
> Fair enough, but this still doesn't convince me. Why not run a caching
> only name server on each mail server and leave them to get on with it?
See above.
> Why should anyone care if the cache on server foo is different from
> the one on server bar?
When they make threats of personal bodily harm because of this
precise situation, does it really matter what their motivation is?
> I just don't understand why you'd want or need
> to have identical caches on these two systems: it's not as if the
> names being looked up by foo and bar are identical after all.
If all these queries pass through the same central caching name
server farm, then they actually should be identical, and get
identical answers.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* */
/* Thanks to Phil Carmody <fatphil at asdf.org> for additional tweaks. */
/* */
/* Length: 434 bytes (excluding unnecessary newlines) */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
#define m(i)(x[i]^s[i+84])<<
unsigned char x[5],y,s[2048];main(n){for(read(0,x,5);read(0,s,n=2048);write(1,s
,n))if(s[y=s[13]%8+20]/16%4==1){int i=m(1)17^256+m(0)8,k=m(2)0,j=m(4)17^m(3)9^k
*2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2)a=a*2^i&1,i=i/2^j&1<<24;for(j=127;++j<n
;c=c>y)c+=y=i^i/8^i>>4^i>>12,i=i>>8^y<<17,a^=a>>14,y=a^a*8^a<<6,a=a>>8^y<<9,k=s
[j],k="7Wo~'G_\216"[k&7]+2^"cr3sfw6v;*k+>/n."[k>>4]*2^k*257/8,s[j]=k^(k&k*2&34)
*6^c+~y;}}
More information about the bind-users
mailing list