httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hotwired.com (Dean Gaudet)
Subject Re: security holes and other fun stuff
Date Mon, 15 Jul 1996 20:49:47 GMT
In article <hot.mailing-lists.new-httpd-199607151531.QAA08177@cadair.elsevier.co.uk>,
Paul Richards  <new-httpd@hyperreal.com> wrote:
>The time it takes to change a DNS entry is dependent *entirely* on the timeout
>value. Anything doing DNS lookups that caches an entry for longer than that
>time is *FUNDAMENTALLY* broken.

Any DNS server that caches an entry for longer than that time is
fundamentally broken.  Take a look at the API though: gethostbyname and
gethostbyaddr DO NOT RETURN THE TIMEOUT.  Hence it is impossible as an
application "doing the right thing" by using the API to actually do
the right thing.  Netscape is actually closer to being able to do the
right thing by writing their own API.

Netscape is broken.  Apache (configured with DNS) is broken.  INN is
broken (the FAQ mentions this and gives a "fix").  Hell telnet, rlogin,
any news reader, they're all broken because they don't continually 
look up the names they're using.

A month after renumbering bianca.com I saw 4 requests per day to the old
address.  A month after renumbering www.suck.com I saw 3 requests per day.
I have two week zone timeouts, with 1 day updates, and 1/2 day ttls.
In two days all my secondaries should have updated (they had).  In three
days everyone should have been going to the new address.

Theory and practice don't meet.  I studied mathematics, I'm totally
into theory.  I'm just giving you a practical view from someone who
has actually gone through the effort of renumbering a bunch of servers.
Maybe Cliff can add something here -- he's gone through this as well.

Regardless of this fact of life, my point is still valid.  You always have
to run with two config entries long enough to let the old record time out.
Brian was claiming that there was some magic method of running with one
that required little co-ordination.

The length of that time is what's at issue here.  There's like 0 chance
you'll convince J. Random Admin to play with the magic values in their
zone's SOA.  The number of people that understand that the 2nd through
4th values refer to the zone as a whole and not the individual records
is pretty small.  I know how to play with the values to attempt to renumber

Dean

Mime
View raw message