Well said Bill.
I agree with you about having all your tech/adm records + registrar on the same
NS... especially for your OOB domain.
Probably what killed them. They lost access to their fb-00b-net-mgmt.io cool
dns name network. It just went from bad to worst when they realized that they
also lost physical access to the building.
We all learned a lot and we're still learning.
Jean
-----Original Message-----
From: Bill Woodcock <wo...@pch.net>
Sent: October 7, 2021 12:45 PM
To: Jean St-Laurent <j...@ddostest.me>
Cc: Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp>; Bjørn Mork
<bj...@mork.no>; nanog@nanog.org
Subject: Re: DNS pulling BGP routes?
This was superstition, brought forward from 1992 by the folks who were yelling
“damned kids get offa my lawn” at the time.
There’s no reason to include a unicast address in an NS set in the 21st
century, and plenty of reasons not to (since it’ll be very difficult to
load-balance with the rest of the servers).
But one should NEVER NEVER depend on a single administrative or technical
authority for all your NS records. That’s what shot Facebook in the foot, they
were trying to do it all themselves, so when they shot themselves in the foot,
they only had the one foot, and nothing left to stand on. Whereas other folks
shoot themselves in the foot all the time, and nobody notices, because they
paid attention to the spirit of RFC 2182.
-Bill
