Contemporary requirements for zone transfers

Transcript

1. Contemporary requirements for zone transfers Artyom Gavrichenkov <[email protected]> GPG: 2deb

   97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191

2. A long, long time ago. • /etc/hosts • Service owner

   responsible for the name resolution

3. Next. • Authoritative DNS servers • DNS registries • Cloud

   DNS services

4. A Split. Customers Providers

5. 1

6. 2

7. …

8. A Split. Customers Providers

9. Customers Providers • DNSSEC • CAA • TLS …

10. Customers Providers ? • DNSSEC • CAA • TLS …

11. Customers Providers • Backup datacenters • Geobalancing • ASN-based balancing

    • CI/CD • DNSSEC • CAA • TLS …
12. None

13. DDoS Challenges • UDP-based protocol • Thanks God, a truncate

    thing • Amplification attacks

14. Cloud solutions! • Amazon Route53 • Dyn • Azure •

    Cloudflare • Google Cloud …

15. Cloud solutions! • Amazon Route53 • Dyn • Azure •

    Cloudflare • Google Cloud … But.

16. Cloud solutions! • Amazon Route53 • Dyn • Azure •

    Cloudflare • Google Cloud … But. What about AXFR?
17. None

18. “DNS Zone Transfers (AXFR/IXFR) support for Route53 is a hotly

    asked for feature, and is one that we will consider adding in the future.” Amazon, 2012.
19. None

20. DNSControl https://github.com/StackExchange/dnscontrol/ “Synchronize your DNS to multiple providers from a

    simple DSL”

21. A Standard? • DOTS • CDNI • DNSops?

22. A Standard? Zone transfers with blackjack and stuff • Balancing

    and failover • Traffic load measurement & rate limiting • Dynamic filters • Extensions

23. Q&A Artyom Gavrichenkov <[email protected]>