
October 13 2009 by

Cricket Liu (Infoblox)
...especially at the expense of the excellent folks who run .SE, but wasn't I just writing last month about everything that can go wrong in a manually administered DNS environment? In fact, didn't I specifically say:
"Use a trailing dot to prevent the origin
from being appended to a domain name. After editing a zone data file,
increment the serial number and reload. Forget any one of those and you've
caused an operational issue, maybe even an outage."
Well, it looks like .SE had one of those very problems.
Read more...
Posted in DNS Best Practices | Automation |
1 comments

September 24 2009 by

Cricket Liu (Infoblox)
Over
the past few years--I can't remember exactly when, which is part of the
problem--I've become alarmingly forgetful. I'll get up, walk across the
building to do something, and forget completely what it was that I intended to
do. Talk to Julie about upcoming roundtables? Ask Eric or Arlen a
question about UI design?
That's
a nuisance for me around the office, but it would be downright dangerous if
anyone still let me manage a production zone or name server.
Even
in the simplest DNS environments, there's a lot to remember: An SOA
record has seven RDATA fields. Use a trailing dot to prevent the origin
from being appended to a domain name. After editing a zone data file,
increment the serial number and reload. Forget any one of those and you've
caused an operational issue, maybe even an outage.
Read more...
Posted in DNSSEC | DNS Best Practices | Automation |
0 comments

August 26 2009 by

Cricket Liu (Infoblox)
According to a DHS report cited in FT's Tech Blog,
DNS is "the part of U.S. information technology most at risk from a
serious attack." The report lists several "mitigations" of the threats
against DNS, including monitoring, infrastructure diversity, anycast
(called out by name!) and DNSSEC.
Read more...
Posted in DNSSEC | DNS Security | DNS Best Practices |
0 comments

June 10 2009 by

Cricket Liu (Infoblox)
The slides from this morning's webinars are now available for downloading! Enjoy!
Read more...
Posted in DNSSEC | DNS Security | DNS Best Practices |
3 comments

June 10 2009 by

Cricket Liu (Infoblox)
Here are a few more answers:
How does a host or client request a DO bit? Or how do I force my caching name server to set DO on behalf of their clients?
The stub resolver doesn't usually set the DO bit. A recursive name
server with a trust anchor for a zone or following a delegation from a
secure zone to a secure subzone sets the DO bit. (It makes no sense,
after all, for a recursive name server to set the DO bit on a query for
an RRset in a zone that isn't signed.) So if you want to make sure
that a recursive name server sets DO for queries in a particular zone,
configure a trust anchor for that zone.
Read more...
Posted in DNSSEC | DNS Security | DNS Best Practices |
0 comments