nanog mailing list archives
Re: RES: Exploits start against flaw that could hamstring huge swaths of
From: Scott Helms <khelms () zcorum com>
Date: Tue, 4 Aug 2015 13:01:03 -0400
I don't disagree, but automation usually protects against typing errors, it doesn't protect against incorrect configurations. Using multiple vendors or server software means that your people have to know all of the systems. There are many cases where, for example, a Cisco like CLI will make a network engineer think that a command works exactly the same way on another vendors system when in fact the under the hood implementation is very different. It's not always feasible to have the people with the needed skill levels and automation does not help that at all. On Aug 4, 2015 10:21 AM, "Christopher Morrow" <morrowc.lists () gmail com> wrote:
On Tue, Aug 4, 2015 at 11:46 AM, Scott Helms <khelms () zcorum com> wrote:Automation just means your mistake goes many more places more quickly.and letting people keep poking at things that computers should be doing is... much worse. people do not have reliability and repeat-ability over time. If you fear 'many more places' problems, improve your testing.On Aug 4, 2015 9:38 AM, "Christopher Morrow" <morrowc.lists () gmail com> wrote:On Tue, Aug 4, 2015 at 11:29 AM, Scott Helms <khelms () zcorum com> wrote:With the (large) caveat that heterogenous networks are more subject to human error in many cases.<cough>automate!</cough>On Aug 4, 2015 9:25 AM, "Joe Greco" <jgreco () ns sol net> wrote:So, you guys recommend replace Bind for another option ?No. Replacing one occasionally faulty product with another occasionally faulty product is foolish. There's no particular reason to thinkthatanother product will be impervious to code bugs. What I wassuggestingwas to use several different devices, much as some networks prefer to buy some Cisco gear and some Juniper gear and make them redundant, or as a well-built ZFS storage array consists of drives from different manufacturers. Heterogeneous environments tend to be more resilient because they are less likely to all suffer the same defect at once. Problems still result in some pain and trouble, but it usually doesn't result in a service outage. This doesn't seem like a horribly catastrophic bug in any case.Anyonewho is reliant on a critical bit like a DNS server probably has itsetup to automatically restart if it doesn't exit cleanly. If youdon't,you should! So if it matters to you, I suggest that you instead use a combination of different products, and you'll be more resilient. If you have two recursers for your customers, one can be BIND and one can be Unbound. And when some critical vuln comes along and knocks out Unbound,you'llstill be resolving names. Ditto BIND. You're not likely to see both happen at the same time. However, at least here, we actually *use* TSIG updates, and other functionality that'd be hard to replace (BIND9 is pretty much THEonlyoption for some functionality). ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance[and]then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica, (continued)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Stephane Bortzmeyer (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Christopher Morrow (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Joe Greco (Aug 04)
- RES: Exploits start against flaw that could hamstring huge swaths of Leonardo Oliveira Ortiz (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Jim Popovitch (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Joe Greco (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Scott Helms (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Christopher Morrow (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Scott Helms (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Christopher Morrow (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Scott Helms (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Roland Dobbins (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of alvin nanog (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Barry Shein (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Valdis . Kletnieks (Aug 04)
- Re: Exploits start against flaw that could hamstring huge swaths of Joe Abley (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Randy Bush (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Joel Maslak (Aug 04)
- RES: RES: Exploits start against flaw that could hamstring huge swaths of Leonardo Oliveira Ortiz (Aug 06)
- Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Stephane Bortzmeyer (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths of Jay Ashworth (Aug 04)
- Re: RES: Exploits start against flaw that could hamstring huge swaths Joe Greco (Aug 04)