In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl Harald
writes:
>
>
> Am 07.02.2017 um 22:11 schrieb Mark Andrews:
> > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, Reindl Har
> ald wr
> > ites:
> >>> Break them. That's the only way it will eventually get fixed
> >>
> >> if things would be that easy....
> >>
> >> the admins of the broken servers ar the very last which are affected,
> >> admins with a recent named have to bite the bullet of user terror and
> >> users typically don#t give a damn when it worked yesterday
> >>
> >> the admins of the broken server don't give a damn about as long they can
> >> point their fingers and say "look, the rest of the world has no lookup
> >> errors"
> >>
> >> if it would be that easy the problem of spam would not exist for many
> >> years while in reality you waste most of our time to write exceptions
> >> here and there, disable rules or score them lower because you are not in
> >> the position to educate every admin of sending servers out there
> >
> > You go over the admins head. You go to the board of directors.
> > You go the the minister responsible (yes, I have had to do that
> > along with a copy to the shadow minister and the company that the
> > DNS was outsourced to for government domains). Good old snail mail
>
> if *you* do that from your position it may work but still takes time in
> a world where it somestimes takes days and weeks to find somebody who
> can instruct a admin to change a simple CNAME record from machine A to
> machine B even with the directors OK and CC'ed in the message
And you can fix the issue by hand while this is going on.
server 74.113.204.34 { send-cookie false; };
server 74.113.206.34 { send-cookie false; };
server 117.56.91.203 { send-cookie false; };
server 117.56.91.204 { send-cookie false; };
server 117.56.91.234 { send-cookie false; };
server 199.252/16 { send-cookie false; };
(or request-sit no; for 9.10.x)
There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE.
The big numbers are those that drop EDNS(1) which no one is using at
this stage. See http://ednscomp.isc.org/
> i doubt it works the same way for a ordinary admin in a small company
> where you to make it work because *you* broke it with the named update
> and so your advise will be "roll back that stuff to the state of
> yesterday where it worked and no you have not the free time to call each
> and every company and educate them"
>
> problem here is that as long it's not a critical mass anybody who
> deployed the update breaking things have to bleed for it and so you have
> to find enough people with the power to go over admins head *before* the
> breaking updates
>
> and no, when in your company people can't work because DNS is broken you
> don't call foreign admins and directors - you have to fix that *now* and
> after you have fixed it you have no longer arumgents why call somebody
> with no direct relations
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
