Zope.org DNS ( was Re: [ZWeb] http://namespaces.zope.org/zope )

Justizin justizin at siggraph.org
Tue Sep 26 12:00:24 EDT 2006 

On 9/26/06, Jens Vagelpohl <jens at dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 17:48, Justizin wrote:
> > Well, since I don't know about the suggested provider, here's my
> > concern - let's say I manage your DNS on my servers, and you want to
> > provide your own local servers.  How do you get a copy of the latest
> > zone?  Your IP must be listed in my server so that it is allowd to
> > perform AXFR queries.
>
> Do you know how DNS works? Slaves don't just ask for a transfer willy-
> nilly. Slaves are known to the primary and they get told when to ask.
>

I'm not sure this is correct.  We should investigate before insulting
each other's intelligence.

I know a great deal about how DNS works, thank you very much. ;)

>
> > They will also probably provide us with 3-4 hosts which we can use for
> > DNS.  If You, me, and one other person each contribute two IP
> > addresses on different network, that puts the zope.org zone in pretty
> > good shape, because various caching nameservers will handle the
> > trouble of determining which authoritative record is best for them to
> > use.
> >
> > DNS may seem like a low-load service, but if you were to run a DNS
> > provider yourself on a single machine, I challenge you to maintain 90%
> > uptime.  The last time I worked on a large DNS implementation we had
> > twelve machines in each of two geographic locations - dual xeon
> > machines with lots of RAM that did nothing but handle round-robin DNS
> > queries.
>
> I have no idea what you are talking about. This is not some huge DNS
> service that we need. We need to serve exactly one zone. This can be
> done from a Palm Pilot, to be honest. I have run DNS services for
> years and years and don't share any of your doubts.
>

Okay, let's please not make this an argument.

*we* do not have large-scale DNS needs.

However, if we use someone like ZoneEdit.com, their nameservers are
highly loaded.  So, as I said, if someone decides to launch a DNS
attack on ns1.zoneedit.com or whatever, it can affect the availability
of zope.org, unless there are alternates, which is what we all
propose.

It's a sad logical fallacy for you to state that because you have
never seen this problem, it does not exist.  I spent nearly three
years as an engineer at one of the world's largest provider of managed
internet services, and I can tell you that NS.RACKSPACE.COM and
NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater
DDoS attack.

This was in a datacenter with 9GB/s of bandwidth via multiple OC-48 connections.

It's important.

-- 
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/

More information about the Zope-web mailing list