All name servers on one segment?
Bill Larson
wllarso at swcp.com
Mon May 7 16:19:57 UTC 2001
> No. It makes no sense for ANY site or DNS zone to have ANY single
> point of failure in their DNS configuration. Read RFC2182: "Selection
> and Operation of Secondary DNS Servers".
I wish RFC2182 were required reading for anyone designing or
operating a DNS service. So much "common sense" seems to be
ignored.
> Kenneth> I'm a HostPro hosting customer and I've noted that all
> Kenneth> their name servers are in 209.196.128/24. That seems
> Kenneth> particularly vulnerable.
To cut this company a little bit of slack, unless you know exactly what
their network configuration is, such as having multiple routes to their
network, they may be ok. You will not be able to get this information
without asking them directly. You cannot infer this from their
addresses, or even from traceroute.
But, most likely your concerns are justified.
> There are better options. For small amounts of DNS data, there's a
> free, highly-available slave DNS service at secondary.com. This is
> provided on Nominum's professional DNS hosting service, GNS. You can
> find out more information about that at http://www.nominum.com,
> including a White Paper on the GNS architecture. Disclaimer: I work
> for Nominum and helped design GNS.
After learning of secondary.com once, and trying to find information
about this free secondary DNS service from Nominum, I would suggest
skipping over the Nominum web site and looking at
http://www.secondary.com instead.
Bill Larson
More information about the bind-users
mailing list