Enviada em: terça-feira, 4 de agosto de 2015 19:53
Para: Christopher Morrow
Cc: NANOG; Joe Greco
Assunto: Re: RES: Exploits start against flaw that could hamstring huge swaths
of
>> Automation just means your mistake goes many more places more
>> quickly.
> and letting people keep p
On Tue, Aug 04, 2015 at 12:00:32PM -0400, Jared Mauch wrote:
> I recommend using DNSDIST to balance traffic at a protocol level as you can
> have implementation diversity on the backside.
>
Here's an example dnsdist config you might find helpful:
This sends queries to the first two serv
On Tue, Aug 4, 2015 at 4:53 PM, Randy Bush wrote:
> i love the devops movement; operators discover that those computers can
> be programmed. wowzers!
>
Maybe we can give them a new title. I'm thinking, "System Programmer."
>> Automation just means your mistake goes many more places more
>> quickly.
> and letting people keep poking at things that computers should be
> doing is... much worse. people do not have reliability and
> repeat-ability over time.
i love the devops movement; operators discover that those comput
> As someone who once hosted TLD zones in a way that a query to a
> particular nameserver could be answered by either NSD or BIND9, my
> advice would be "don't do that". You're setting yourself up for
> troubleshooting hell.
for some folk, complexity is a career. i worked for circuitzilla
for
On 4 Aug 2015, at 15:54, Barry Shein wrote:
Wow this thread went off-track in nanoseconds.
So which bind versions are ok?
9.10.2-P3 is marked "current stable", and 9.9.7-P2 is marked
"current-stable ESV" at:
https://www.isc.org/downloads/
The bind-users is probably a place where this ki
On Tue, 04 Aug 2015 15:54:53 -0400, Barry Shein said:
>
> Wow this thread went off-track in nanoseconds.
>
> So which bind versions are ok?
This week's.
pgpakL0r72_lt.pgp
Description: PGP signature
Wow this thread went off-track in nanoseconds.
So which bind versions are ok?
-b
On Tue, Aug 04, 2015 at 01:48:56PM -0400, Joe Abley wrote:
> Hi Jared,
>
> On 4 Aug 2015, at 12:00, Jared Mauch wrote:
>
> >I recommend using DNSDIST to balance traffic at a protocol level as you
> >can have implementation diversity on the backside.
> >
> >I can send an example config out later f
On Wed, Aug 05, 2015 at 02:39:18AM +1000, Mark Andrews wrote:
>
> In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you can
> > h=
> > ave implementation diversity on the backside.=20
>
Hi Jared,
On 4 Aug 2015, at 12:00, Jared Mauch wrote:
I recommend using DNSDIST to balance traffic at a protocol level as
you can have implementation diversity on the backside.
I can send an example config out later for people. You can balance to
bind NSD and others all at the same time :-)
hi ya
> >> On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms wrote:
> >> > With the (large) caveat that heterogenous networks are more subject to
> >> > human error in many cases.
> >>
> >> automate!
> >>
...
On 08/04/15 at 12:21pm, Christopher Morrow wrote:
> On Tue, Aug 4, 2015 at 11:46 AM, Scott
On 4 Aug 2015, at 23:21, Christopher Morrow wrote:
and letting people keep poking at things that computers should be
doing is... much worse. people do not have reliability and
repeat-ability over time.
I've personally never come across an accidental route hijack (of the
subset of which I lea
I don't disagree, but automation usually protects against typing errors, it
doesn't protect against incorrect configurations. Using multiple vendors
or server software means that your people have to know all of the systems.
There are many cases where, for example, a Cisco like CLI will make a
netw
- Original Message -
> From: "Scott Helms"
> On Aug 4, 2015 9:38 AM, "Christopher Morrow"
> wrote:
>
> > On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms
> > wrote:
> > > With the (large) caveat that heterogenous networks are more
> > > subject to human error in many cases.
> >
> > automat
On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews wrote:
> In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared
> Mauch writes:
> > I recommend using DNSDIST to balance traffic at a protocol level as you
> can h=
> > ave implementation diversity on the backside.=20
> >
> > I can se
In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared Mauch
writes:
> I recommend using DNSDIST to balance traffic at a protocol level as you can h=
> ave implementation diversity on the backside.=20
>
> I can send an example config out later for people. You can balance to bin
On Tue, Aug 4, 2015 at 11:46 AM, Scott Helms wrote:
> Automation just means your mistake goes many more places more quickly.
>
and letting people keep poking at things that computers should be
doing is... much worse. people do not have reliability and
repeat-ability over time.
If you fear 'many
at 10:03 AM, Jay Ashworth wrote:
>
> Everyone got BIND updated?
>
> http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Automation just means your mistake goes many more places more quickly.
On Aug 4, 2015 9:38 AM, "Christopher Morrow"
wrote:
> On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms wrote:
> > With the (large) caveat that heterogenous networks are more subject to
> > human error in many cases.
>
> automate!
On Tue, 04 Aug 2015 15:06:36 -, Leonardo Oliveira Ortiz said:
> So, you guys recommend replace Bind for another option ?
The *good* recommendation is to get some onboard security clue, and
learn procedures to mitigate the inevitable exploits against flaws in
infrastructure software.
pgproCq1
On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms wrote:
> With the (large) caveat that heterogenous networks are more subject to
> human error in many cases.
automate!
> On Aug 4, 2015 9:25 AM, "Joe Greco" wrote:
>
>> > So, you guys recommend replace Bind for another option ?
>>
>> No. Replacing o
With the (large) caveat that heterogenous networks are more subject to
human error in many cases.
On Aug 4, 2015 9:25 AM, "Joe Greco" wrote:
> > So, you guys recommend replace Bind for another option ?
>
> No. Replacing one occasionally faulty product with another occasionally
> faulty product i
> So, you guys recommend replace Bind for another option ?
No. Replacing one occasionally faulty product with another occasionally
faulty product is foolish. There's no particular reason to think that
another product will be impervious to code bugs. What I was suggesting
was to use several diff
On Tue, Aug 4, 2015 at 11:06 AM, Leonardo Oliveira Ortiz
wrote:
> So, you guys recommend replace Bind for another option ?
The humorous thing is that the security researcher who showed the
recent bind9 error (note: it isn't a vulnerability or a hack, it's
just a way to remotely crash named), well
So, you guys recommend replace Bind for another option ?
-Mensagem original-
De: NANOG [mailto:nanog-boun...@nanog.org] Em nome de Joe Greco
Enviada em: terça-feira, 4 de agosto de 2015 12:01
Para: Stephane Bortzmeyer
Cc: nanog@nanog.org
Assunto: Re: Exploits start against flaw that
> On Tue, Aug 04, 2015 at 10:03:33AM -0400,
> Jay Ashworth wrote
> a message of 6 lines which said:
>
> > Everyone got BIND updated?
>
> For instance by replacing it with NSD or Unbound?
Or doing something better like not just replacing one evil with another,
and instead moving to a heteroge
On Tue, Aug 4, 2015 at 10:17 AM, Stephane Bortzmeyer wrote:
> On Tue, Aug 04, 2015 at 10:03:33AM -0400,
> Jay Ashworth wrote
> a message of 6 lines which said:
>
>> Everyone got BIND updated?
>
> For instance by replacing it with NSD or Unbound?
always great to jump ship from one platform to a
On Tue, Aug 04, 2015 at 10:03:33AM -0400,
Jay Ashworth wrote
a message of 6 lines which said:
> Everyone got BIND updated?
For instance by replacing it with NSD or Unbound?
Everyone got BIND updated?
http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
30 matches
Mail list logo
