spamassassin-sysadmins mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <>
Subject Re:
Date Thu, 09 Nov 2017 16:44:29 GMT

On 11/9/2017 11:07 AM, Greg Stein wrote:
> No, we do not use PowerDNS. We have a hidden master, and a couple 
> parties slave/provide DNS service for us. We are consolidating all DNS 
> at Namecheap, along with them being our domain registrar.
> At the moment, I am transferring the domain registration over to 
> Namecheap. The NS records will be unchanged. I might ask the PMC to 
> consider a move to ASF resources for continuity purposes (or to 
> rephrase: not rely on a third party for core operations/viability).
> Please let me know if you have any concerns about the registrar move. 
> (tho: it should be invisible)

Hi Greg,

Technically and Administratively, the Registrar has no impact on the 
project.  I appreciate you asking and technically if it has the same 
nameservers, it won't cause any issues for the project. All we really 
need is a heads-up so we can alert you if it goes wonky.  Like you said, 
invisible.  I wouldn't even have asked us in your shoes.  I defer to the 
PMC but I'm a +1 on moving the registrar.

Re: moving the NS records, I'm likely one of the few PMC members 
*[Working to change that with our sysadmins group] left that can speak 
to this issue but defer to a vote.

TL;DR: Don't be in such a hurry to put SA DNS onto ASF Infra. It might 
cause a lot of grief and the grief is currently handled so it has zero 
net gain for a lot of work.

Overall, I don't support changing the status quo and here are the reasons:

- We have just rearchitected around PowerDNS for API calls. Switching 
would be difficult but not impossible.  But I imagine we won't have APIs 
under Infra.  Ignore that issue for now while you read more bullet 
points below.

- I don't think it's clear that the master DNS for is 
on ASF infra as a hidden master now.  It has ALWAYS been there since the 
project moved under the ASF.

- The name servers today share the load and use distributed DNS to 
Sonic, PCCC & ENA.  How is consolidating a distributed, resilient DNS 
system going to improve things?  I'd argue you are putting all the eggs 
in one basket and it's less viable.

- The number of DNS queries which were too much for ASF to handle eons 
ago hence we had to take it out of infra.  With work towards the goal of 
an RBL, you don't want the DNS requests in house.  It is going to get 
worse :-)

- Side note: PCCC provided the DNS servers for SA prior to it coming 
onboard with the ASF because they had horrible DNS stability and attack 
issues.  ~21+ years of providing DNS for the project with no outages :-)

And the SA work has been the direct cause of bringing datacenters to 
their knees no less than 3 times.  Ask Samuel Abramson 
<> about how I accidentally shutdown Zayo in 
Ashburn by accidentally redirecting our RBL traffic to their network in 
the past few months.  1 stat:  at that time, the RBL is every single 
cPanel installation in the world and that means ALL of EIG, Godaddy, 
etc. that use cPanel.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message