Re: RES: Exploits start against flaw that could hamstring huge swaths of

[Scott Helms <khelms () zcorum com>]

Automation just means your mistake goes many more places more quickly.
On Aug 4, 2015 9:38 AM, "Christopher Morrow" <morrowc.lists () gmail com>
wrote:

> On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms <khelms () zcorum com> wrote:
> > With the (large) caveat that heterogenous networks are more subject to
> > human error in many cases.
>
> <cough>automate!</cough>
>
> > On Aug 4, 2015 9:25 AM, "Joe Greco" <jgreco () ns sol net> wrote:
> >
> > > > So, you guys recommend replace Bind for another option ?
> > >
> > > No.  Replacing one occasionally faulty product with another occasionally
> > > faulty product is foolish.  There's no particular reason to think that
> > > another product will be impervious to code bugs.  What I was suggesting
> > > was to use several different devices, much as some networks prefer to
> > > buy some Cisco gear and some Juniper gear and make them redundant, or
> > > as a well-built ZFS storage array consists of drives from different
> > > manufacturers.
> > >
> > > Heterogeneous environments tend to be more resilient because they are
> > > less likely to all suffer the same defect at once.  Problems still
> result
> > > in some pain and trouble, but it usually doesn't result in a service
> > > outage.
> > >
> > > This doesn't seem like a horribly catastrophic bug in any case.  Anyone
> > > who is reliant on a critical bit like a DNS server probably has it set
> > > up to automatically restart if it doesn't exit cleanly.  If you don't,
> > > you should!
> > >
> > > So if it matters to you, I suggest that you instead use a combination
> > > of different products, and you'll be more resilient.  If you have two
> > > recursers for your customers, one can be BIND and one can be Unbound.
> > > And when some critical vuln comes along and knocks out Unbound, you'll
> > > still be resolving names.  Ditto BIND.  You're not likely to see both
> > > happen at the same time.
> > >
> > > However, at least here, we actually *use* TSIG updates, and other
> > > functionality that'd be hard to replace (BIND9 is pretty much THE only
> > > option for some functionality).
> > >
> > > ... JG
> > > --
> > > Joe Greco - sol.net Network Services - Milwaukee, WI -
> http://www.sol.net
> > > "We call it the 'one bite at the apple' rule. Give me one chance [and]
> > > then I
> > > won't contact you again." - Direct Marketing Ass'n position on e-mail
> > > spam(CNN)
> > > With 24 million small businesses in the US alone, that's way too many
> > > apples.