On 04-Jan-14 14:58, Nicolas C. wrote:
Which is great until someone tries to send e-mail, ftp a file, lookup a SIP server - or any other service. Do any clients rely on SIP for emergency telephone service? (VoIP phones, softphones, building alarms among others)On 03/01/2014 18:00, wbr...@e1b.org wrote:From: Mark Andrews <ma...@isc.org>After that specify a final date for them to fix their machines by after which you will send NXDOMAIN responses. Sometimes sending a poisoned reponse is the only way to get peoples attention.zone "." { type master; file "empty"; }; empty: @ 0 IN SOA . stop.using.this.nameserver 0 0 0 0 0 @ 0 IN NS . @ 0 IN A 127.0.0.1Or really mess with them and answer all A queries with 199.181.132.249It's not a bad idea. I could wildcard all requests to an internal HTTP server saying that the DNS configuration of the client is deprecated.
DNS redirection is evil - and tricky; the world is not just DNS and HTTP from a user's desktop/notebook.
To get people's attention, NXDOMAIN to www.* queries is often reasonably safe. Embedded systems are another story. (Elevators, HVAC controllers, security systems, routers, ...)
Think about the all consequences in your environment. Do you want to be responsible if someone can't make an emergency call? Someone who has been out on leave? Someone stuck in an elevator?
It may be better to simply alias (if necessary, route) the old IP address(es) to the new server. That way you can manage the notifications and consequences on a per-service basis.
You can also turn on query logging (which helps slow down the old server) - and use the logs to backtrack to the machines that need to be reconfigured. Scripts can send an e-mail daily with a warning and instructions on how to reconfigure. If you have the ownership data, scripts can escalate to a manager/sponsor if ignored. Hopefully this will get you down to a manageable list of miscreants that require manual follow-up.
Redirecting to disney.com is a fine humorous response - but I'd be very careful about taking it - or similar - action seriously. Running DNS is a serious responsibility.
Whatever transition plan you adopt needs to fit your circumstances and manage all the risks. A 'simple' plan might work for you - or it might not.
The risks of draconian operations to encourage migration are a lot larger than they were in years past.
-- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
