Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 16:56, Justizin wrote:
> One reason I like the idea of the ACM hosting this zone is that we are
> probably going to stick around, so Zope.org won't be likely to fall by
> the wayside.

Umh, thanks for implying that others (like me) won't be around and
would leave zope.org in the lurch...

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGUEYRAx5nvEhZLIRAjNLAJ9r2oc4JRyokTEe7rLHsdA7W7FYGQCgtxir
rMd1EKUS5IDH9oxly44Bw7Y=
=MtUR
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

We can use someone like zoneedit.com for the primary, and then have a bunch
of secondaries.....I'm sure there's lots of us who could do secondary dns
for this. I've used zoneedit for several years now - flawlessly. First 5
domains are free - so that shouldn't be a problem.

Andrew


On 9/26/06 10:56 AM, "Justizin" <justizin@siggraph.org> wrote:

> On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On 26 Sep 2006, at 14:40, Martijn Faassen wrote:
>>> We're currently investigating mechanisms by which we (as the
>>> community) can manage the nameserver for zope.org - a requirement
>>> to bring namespaces.zope.org into being. We're also trying to
>>> figure out what could be listening on the other end.
>>
>> If DNS is a bottleneck I volunteer to host the zope.org zone on my
>> colocated servers (ns1.dataflake.org as primary, ns1.zetwork.com as
>> secondary). The data center they are in (in Richmond/VA) has
>> redundant internet connectivity and a sterling uptime record for
>> their network.
>>
>
> We should totally figure out a solution for this. I also have
> resources available to host DNS.
>
> I am a volunteer for the Association for Computing Machinery, and we
> are beginning to use Zope and Plone pretty significantly. Perhaps we
> wouldn't mind owning this zone. We currently have no DNS management
> tool, but I have the source code to an old one laying around I could
> ressurect, ugly as it may be.
>
> One reason I like the idea of the ACM hosting this zone is that we are
> probably going to stick around, so Zope.org won't be likely to fall by
> the wayside. Perhaps we could devise a system whereby several
> organizations provide NS records for zope.org and replicate, either
> via AXFR or otherwise.


_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 17:02, Andrew Sawyers wrote:

> We can use someone like zoneedit.com for the primary, and then have
> a bunch
> of secondaries.....I'm sure there's lots of us who could do
> secondary dns
> for this. I've used zoneedit for several years now - flawlessly.
> First 5
> domains are free - so that shouldn't be a problem.

Hey Andrew, learn bottom-posting please!

I haven't worked with zoneedit, but would volunteer a secondary DNS
setup on one of my boxes.

DNS changes should be very tightly regulated and the group of people
who can make them should be very small since DNS is a very important
wheel in the machinery which can break all other services if not
handled correctly. I don't think it is important to have some "newbie-
friendly" tool.

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGULmRAx5nvEhZLIRAp/3AKCGCtrm4n1x3InUrHt/iMN8L4V58gCgrKwg
9UFGur6H6Loc4NxB1GNjD0Q=
=+Il3
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> Hey Andrew, learn bottom-posting please!
>
> I haven't worked with zoneedit, but would volunteer a secondary DNS
> setup on one of my boxes.

ZoneEdit has a very ugly site, but technically I haven't had one
single problem with them during four years of usage.

> I don't think it is important to have some "newbie-
> friendly" tool.

ZoneEdit isn't especially designed to be newbie-friendly. It is,
compared to hand-editing text-files, but that's probably more as a
side-effect of the fact that you configure things with forms that for
example add both forward and reverse dns automatically and stuff.

ZoneEdit is an option that should be considered. I'm not enough if a
DNS-guru to say if it's a better or worse option than other options,
but it does work very well.

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06 11:10 AM, "Jens Vagelpohl" <jens@dataflake.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 17:02, Andrew Sawyers wrote:
>
>> We can use someone like zoneedit.com for the primary, and then have
>> a bunch
>> of secondaries.....I'm sure there's lots of us who could do
>> secondary dns
>> for this. I've used zoneedit for several years now - flawlessly.
>> First 5
>> domains are free - so that shouldn't be a problem.
>
> Hey Andrew, learn bottom-posting please!
>
> I haven't worked with zoneedit, but would volunteer a secondary DNS
> setup on one of my boxes.
>
> DNS changes should be very tightly regulated and the group of people
> who can make them should be very small since DNS is a very important
> wheel in the machinery which can break all other services if not
> handled correctly. I don't think it is important to have some "newbie-
> friendly" tool.
>
> jens
>
This has nothing to do with a newbie friendly tool - but a third party to be
the primary, so that a single person isn't the 'owner' of this - so those
with appropriate access can manage this. I'm sure all of us on the list
understand the importance of DNS and it's reliability. Since it's free and
been around for years, I thought it was worthy of looking at for the group.

Andrew


_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

> This has nothing to do with a newbie friendly tool - but a third party to be
> the primary, so that a single person isn't the 'owner' of this - so those
> with appropriate access can manage this. I'm sure all of us on the list
> understand the importance of DNS and it's reliability. Since it's free and
> been around for years, I thought it was worthy of looking at for the group.

Come to think of it, we are actually using http://dnsmadeeasy.com/ for
the ACM. It isn't that we can't run a BIND or djbdns server, we are
responsible for over fifty machines, but yanno, it's just easier.

A provider who focuses on DNS can make sure there is uber redundancy,
and can, as mentioned, keep a single point of failure from affecting
the zone's future edit-ability.

I definitely agree that it should be more difficult to get admin for
Zope.org DNS than to get a Zope.org account for publishing content /
filing bugs. ;)

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 17:21, Andrew Sawyers wrote:
>> DNS changes should be very tightly regulated and the group of people
>> who can make them should be very small since DNS is a very important
>> wheel in the machinery which can break all other services if not
>> handled correctly. I don't think it is important to have some
>> "newbie-
>> friendly" tool.
>>
>> jens
>>
> This has nothing to do with a newbie friendly tool - but a third
> party to be
> the primary, so that a single person isn't the 'owner' of this - so
> those
> with appropriate access can manage this. I'm sure all of us on the
> list
> understand the importance of DNS and it's reliability. Since it's
> free and
> been around for years, I thought it was worthy of looking at for
> the group.

Yeah, definitely. And if we go with that tool I volunteer to be
hooked up as a secondary.

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGUbKRAx5nvEhZLIRAjliAJ9Am72KX3kJN0E5GczcR2r/i3H2rQCgg2d5
keRSvaJPVVJwIl+Ba0n6wq4=
=Sez4
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

>
> Yeah, definitely. And if we go with that tool I volunteer to be
> hooked up as a secondary.
>
> jens
>
>

As do I .....

Andrew


_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Andrew Sawyers <andrew@sawdog.com> wrote:
>
>
>
>
> >
> > Yeah, definitely. And if we go with that tool I volunteer to be
> > hooked up as a secondary.
> >
> > jens
> >
> >
>
> As do I .....
>
> Andrew
>

I could slave as well.

I believe a single DNS query over UDP can handle around 20-25 entries,
depending on their size.

Should be no problem for an 'NS' query for zope.org to point at ten or
more hosts which run slave.

The question is, does this tool allow that? I imagine so. I know
that we set up a local slave in the convention center for SIGGRAPH in
Boston this year from our cheapo DNS provider.

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

Andrew Sawyers wrote:

>> Yeah, definitely. And if we go with that tool I volunteer to be
>> hooked up as a secondary.

> As do I .....

All this DNS volunteering is great! Unfortunately, I'm a bit at a loss
on how to proceed, as I'm not very familiar with DNS issues.

So, what I need:

* a single contact person for DNS issues that I can contact whenever
something DNS related is needed, can advise me on these issues should I
have questions, and who will arrange DNS matters among the three of you.
I propose it's one of you three (Justizin, Jens, Andrew). Anyone
volunteering for that?

* A plan of action worked out between the three of you. I basically need
to know what needs to be done bureaucratically from the side of Zope
Corporation and the Foundation to get this arranged. I'll leave the
actual work to you all - I intend to only be there when stuff needs to
be expedited somehow.

Regards,

Martijn
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I believe a single DNS query over UDP can handle around 20-25 entries,
> depending on their size.
>
> Should be no problem for an 'NS' query for zope.org to point at ten or
> more hosts which run slave.
>
> The question is, does this tool allow that? I imagine so. I know
> that we set up a local slave in the convention center for SIGGRAPH in
> Boston this year from our cheapo DNS provider.

I'm not sure what you're trying to explain or ask here. Do you think
there would be any problem in propagating updates? Well, there won't.
And I don't see any need for more than 3 DNS servers (including the
master). DNS is not resource-intensive in any way.

jens

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGUnhRAx5nvEhZLIRAn0UAJ469rGGYQmFgHYMvmY5/HVpNrZ/BQCfRWG1
oLUNSP7Swqc/yGrkcGYXCbo=
=ogTs
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 17:39, Martijn Faassen wrote:

> Andrew Sawyers wrote:
>
>>> Yeah, definitely. And if we go with that tool I volunteer to be
>>> hooked up as a secondary.
>
>> As do I .....
>
> All this DNS volunteering is great! Unfortunately, I'm a bit at a
> loss on how to proceed, as I'm not very familiar with DNS issues.

The way it works is this:

- - the owner/admin for the domain changes the domain name servers
assigned for this domain through the registrar that holds the domain.
This can normally be done using a web interface at the registrar.
Someone at ZC must do this, and he needs a IP/hostname for the
primary DNS server and IPs/hostnames for secondaries

- - The zone data is pulled from the old servers and entered into the
new primary. This zone data must reflect the new DNS primary/
secondaries. Whenever the primary is updated, it will contact all the
secondaries it knows about automatically and ask them to reload the
data.

- - The secondaries need to have their configuration changed so that
they know they are secondaries for zope.org. They also need to know
the IP of the primary. They will then automatically fetch zone data
from the primary.

Apart from the first step this is quick and easy to do.

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGUs7RAx5nvEhZLIRAqnXAJ9DEh9Xwu0lOWz1bnN7wZsfa3YnrACgs7mQ
ShgewVqAuoT7G+RE+JFy+UY=
=ECBK
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > I believe a single DNS query over UDP can handle around 20-25 entries,
> > depending on their size.
> >
> > Should be no problem for an 'NS' query for zope.org to point at ten or
> > more hosts which run slave.
> >
> > The question is, does this tool allow that? I imagine so. I know
> > that we set up a local slave in the convention center for SIGGRAPH in
> > Boston this year from our cheapo DNS provider.
>
> I'm not sure what you're trying to explain or ask here. Do you think
> there would be any problem in propagating updates? Well, there won't.
> And I don't see any need for more than 3 DNS servers (including the
> master). DNS is not resource-intensive in any way.
>

Well, since I don't know about the suggested provider, here's my
concern - let's say I manage your DNS on my servers, and you want to
provide your own local servers. How do you get a copy of the latest
zone? Your IP must be listed in my server so that it is allowd to
perform AXFR queries.

All I'm saying is, I assume, hopefully, that this provider will allow
us to specify hosts which are allowed to perform AXFR.

They will also probably provide us with 3-4 hosts which we can use for
DNS. If You, me, and one other person each contribute two IP
addresses on different network, that puts the zope.org zone in pretty
good shape, because various caching nameservers will handle the
trouble of determining which authoritative record is best for them to
use.

DNS may seem like a low-load service, but if you were to run a DNS
provider yourself on a single machine, I challenge you to maintain 90%
uptime. The last time I worked on a large DNS implementation we had
twelve machines in each of two geographic locations - dual xeon
machines with lots of RAM that did nothing but handle round-robin DNS
queries.

IIRC, we had about 100,000 zones, but still, let's think about this
for a moment. Imagine:

* I have www.stupidwebsiteforjerks.com
* Someone hates my stupid website, because it's for jerks
* My DNS records are in the same server as yours
* Someone decides to launch an 8MB/s or so DDoS against my NS
records and my webserver IP.
* Your site starts failing to load for 30-60% of visitors after a few hours.

;)

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Martijn Faassen <faassen@infrae.com> wrote:
> Andrew Sawyers wrote:
>
> >> Yeah, definitely. And if we go with that tool I volunteer to be
> >> hooked up as a secondary.
>
> > As do I .....
>
> All this DNS volunteering is great! Unfortunately, I'm a bit at a loss
> on how to proceed, as I'm not very familiar with DNS issues.
>
> So, what I need:
>
> * a single contact person for DNS issues that I can contact whenever
> something DNS related is needed, can advise me on these issues should I
> have questions, and who will arrange DNS matters among the three of you.
> I propose it's one of you three (Justizin, Jens, Andrew). Anyone
> volunteering for that?

I'm glad to be the lead, and I'm glad for either of the other guys to
be the lead. ;d

Whoever you decide to nag, I think the three of us can hammer this out.

> * A plan of action worked out between the three of you. I basically need
> to know what needs to be done bureaucratically from the side of Zope
> Corporation and the Foundation to get this arranged. I'll leave the
> actual work to you all - I intend to only be there when stuff needs to
> be expedited somehow.

Okay. We will need:

* A copy of the existing zope.org zone files
* Cooperation from rob@zope.org to change the NS record pointers
* A list of people who need access in ZoneEdit

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 17:48, Justizin wrote:
> Well, since I don't know about the suggested provider, here's my
> concern - let's say I manage your DNS on my servers, and you want to
> provide your own local servers. How do you get a copy of the latest
> zone? Your IP must be listed in my server so that it is allowd to
> perform AXFR queries.

Do you know how DNS works? Slaves don't just ask for a transfer willy-
nilly. Slaves are known to the primary and they get told when to ask.


> They will also probably provide us with 3-4 hosts which we can use for
> DNS. If You, me, and one other person each contribute two IP
> addresses on different network, that puts the zope.org zone in pretty
> good shape, because various caching nameservers will handle the
> trouble of determining which authoritative record is best for them to
> use.
>
> DNS may seem like a low-load service, but if you were to run a DNS
> provider yourself on a single machine, I challenge you to maintain 90%
> uptime. The last time I worked on a large DNS implementation we had
> twelve machines in each of two geographic locations - dual xeon
> machines with lots of RAM that did nothing but handle round-robin DNS
> queries.

I have no idea what you are talking about. This is not some huge DNS
service that we need. We need to serve exactly one zone. This can be
done from a Palm Pilot, to be honest. I have run DNS services for
years and years and don't share any of your doubts.

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGU16RAx5nvEhZLIRAgXmAKCJ9Ll0OvlJoLZ5v6NlblOzDP2VQACgnpwr
sIHCUp37OQhySlIiXvke1yU=
=qUDs
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 17:48, Justizin wrote:
> > Well, since I don't know about the suggested provider, here's my
> > concern - let's say I manage your DNS on my servers, and you want to
> > provide your own local servers. How do you get a copy of the latest
> > zone? Your IP must be listed in my server so that it is allowd to
> > perform AXFR queries.
>
> Do you know how DNS works? Slaves don't just ask for a transfer willy-
> nilly. Slaves are known to the primary and they get told when to ask.
>

I'm not sure this is correct. We should investigate before insulting
each other's intelligence.

I know a great deal about how DNS works, thank you very much. ;)

>
> > They will also probably provide us with 3-4 hosts which we can use for
> > DNS. If You, me, and one other person each contribute two IP
> > addresses on different network, that puts the zope.org zone in pretty
> > good shape, because various caching nameservers will handle the
> > trouble of determining which authoritative record is best for them to
> > use.
> >
> > DNS may seem like a low-load service, but if you were to run a DNS
> > provider yourself on a single machine, I challenge you to maintain 90%
> > uptime. The last time I worked on a large DNS implementation we had
> > twelve machines in each of two geographic locations - dual xeon
> > machines with lots of RAM that did nothing but handle round-robin DNS
> > queries.
>
> I have no idea what you are talking about. This is not some huge DNS
> service that we need. We need to serve exactly one zone. This can be
> done from a Palm Pilot, to be honest. I have run DNS services for
> years and years and don't share any of your doubts.
>

Okay, let's please not make this an argument.

*we* do not have large-scale DNS needs.

However, if we use someone like ZoneEdit.com, their nameservers are
highly loaded. So, as I said, if someone decides to launch a DNS
attack on ns1.zoneedit.com or whatever, it can affect the availability
of zope.org, unless there are alternates, which is what we all
propose.

It's a sad logical fallacy for you to state that because you have
never seen this problem, it does not exist. I spent nearly three
years as an engineer at one of the world's largest provider of managed
internet services, and I can tell you that NS.RACKSPACE.COM and
NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater
DDoS attack.

This was in a datacenter with 9GB/s of bandwidth via multiple OC-48 connections.

It's important.

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

>
> Okay. We will need:
>
> * A copy of the existing zope.org zone files
> * Cooperation from rob@zope.org to change the NS record pointers
> * A list of people who need access in ZoneEdit
>

I have a fresh ZoneEdit account open with five free zones, and I can
directly import an entire BIND Zone, so I suggest this path. It looks
quick and easy.

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 18:00, Justizin wrote:
>> Do you know how DNS works? Slaves don't just ask for a transfer
>> willy-
>> nilly. Slaves are known to the primary and they get told when to ask.
>>
>
> I'm not sure this is correct. We should investigate before insulting
> each other's intelligence.

This is exactly how it has correctly worked for me for years working
with bind-based nameservers. You can always set up "rogue"
secondaries that purport to serve zope.org, which then would have to
be allowed to manually pull zone data, but what would be the point of
that..?


> It's a sad logical fallacy for you to state that because you have
> never seen this problem, it does not exist. I spent nearly three
> years as an engineer at one of the world's largest provider of managed
> internet services, and I can tell you that NS.RACKSPACE.COM and
> NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater
> DDoS attack.
>
> This was in a datacenter with 9GB/s of bandwidth via multiple OC-48
> connections.

Sorry, I don't buy your argument. First of all, big companies like
Rackspace will always be an attractive target. We're talking about
one piddling open source project here. Secondly, you're omitting the
need for economy/sanity. Rackspace has a strong economical need to be
up 24/7. Yes, you could put 20 secondaries into the zope.org DNS
structure, but what is the point? You will never need that capacity
in your life. 3 total is plenty. With 20 secondaries you also have 20
cats to herd, meaning 20 people who own and manage those secondaries.

jens

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGVBVRAx5nvEhZLIRAgIgAKCBWRVa9MUwVxi+sweMumRR7Cz/uACfWPzI
ZtTvQXT+wsDwsKPODXmMXbk=
=rK4u
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

I don't understand what you are debating, really. Could you clarify?
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 18:00, Justizin wrote:
> >> Do you know how DNS works? Slaves don't just ask for a transfer
> >> willy-
> >> nilly. Slaves are known to the primary and they get told when to ask.
> >>
> >
> > I'm not sure this is correct. We should investigate before insulting
> > each other's intelligence.
>
> This is exactly how it has correctly worked for me for years working
> with bind-based nameservers. You can always set up "rogue"
> secondaries that purport to serve zope.org, which then would have to
> be allowed to manually pull zone data, but what would be the point of
> that..?
>

Okay, that's not what I'm suggesting. Whether you run it by hand or
not, with BIND, you would use named-xfer, which executes an AXFR
request.

So, if the master has to know about the slaves to *tell* them to grab
the zone, then it knows about them to *allow* an AXFR, no?

Why are we arguing this? It's pretty clear at this point that
ZoneEdit can handle this need. I wasn't familiar with it off-hand.

What I *do* know is that I can't pull an AXFR query of google.com and
get the entire Zone, not from my local machine, which is not an
approved DNS slave.

>
> > It's a sad logical fallacy for you to state that because you have
> > never seen this problem, it does not exist. I spent nearly three
> > years as an engineer at one of the world's largest provider of managed
> > internet services, and I can tell you that NS.RACKSPACE.COM and
> > NS2.RACKSPACE.COM are hit multiple times a year by 8MB/s or greater
> > DDoS attack.
> >
> > This was in a datacenter with 9GB/s of bandwidth via multiple OC-48
> > connections.
>
> Sorry, I don't buy your argument. First of all, big companies like
> Rackspace will always be an attractive target. We're talking about
> one piddling open source project here. Secondly, you're omitting the
> need for economy/sanity. Rackspace has a strong economical need to be
> up 24/7. Yes, you could put 20 secondaries into the zope.org DNS
> structure, but what is the point? You will never need that capacity
> in your life. 3 total is plenty. With 20 secondaries you also have 20
> cats to herd, meaning 20 people who own and manage those secondaries.
>

(a) ZoneEdit probably has more zones than Rackspace, which is
classified in Texas as a Small Business. ZoneEdit is well known
enough that a handful of people on this small mailing list know of it.
People don't quite always target Rackspace, they often targetted
specific Rackspace customers. Someone might target ZoneEdit.

(b) None of this matters because three of us offered to host slaves!
Why are you arguing against doing something you volunteered to do?

And why do you think I am trying to "sell" an argument? I'm telling
you - it was my job to run a big DNS infrastructure. Judging by
"ns12.zoneedit.com" and "ns10.zoneedit.com" which have been allocated
to the zope.org zone I set up, ZoneEdit is running a similar magnitude
of infrastructure.

On the other side of the coin, btw, if ZoneEdit is small fries in
comparison to Rackspace, maybe that's a good reason not to rely on
them as the only nameservers for zope.org. If their provider goes out
for a few hours, we want zope.org to be available to the world.

I think you are exagerrating the extent to which my suggestion makes
this complicated.

My suggestion: "Since several of us volunteer to donate DNS services
to zope.org, let's all provide services, as DNS servers are known,
from time to time, for various reasons, to go down."

If you disagree with that, then please, by all means, explain why.
Otherwise, let go. We're all very smart. Let's make things happen.

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 18:17, Lennart Regebro wrote:

> I don't understand what you are debating, really. Could you clarify?

This is about propagating data from the primary DNS server (which
would be that service Andrew suggested) to the databases held on the
secondary DNS servers. It is a fully automatic process, under normal
circumstances.

There's also the question how many secondary servers we need, or how
much DNS serving capacity. Most "normal" domains have one primary and
one secondary server. I suggest one primary and two secondaries.

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGVOVRAx5nvEhZLIRAhWPAJ9R9WrFAiNEcgK3u3F9c+IwnN2tnwCguQ+7
oA/+CTShfimLvPbwaKLMT0s=
=V798
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

I second the motion.

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 26 Sep 2006, at 18:17, Lennart Regebro wrote:
>
> > I don't understand what you are debating, really. Could you clarify?
>
> This is about propagating data from the primary DNS server (which
> would be that service Andrew suggested) to the databases held on the
> secondary DNS servers. It is a fully automatic process, under normal
> circumstances.

Except for initial configuration, which we are working on now. ;)

> There's also the question how many secondary servers we need, or how
> much DNS serving capacity. Most "normal" domains have one primary and
> one secondary server. I suggest one primary and two secondaries.
>

I second this motion!

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 26 Sep 2006, at 18:20, Justizin wrote:
> (a) ZoneEdit probably has more zones than Rackspace, which is
> classified in Texas as a Small Business. ZoneEdit is well known
> enough that a handful of people on this small mailing list know of it.
> People don't quite always target Rackspace, they often targetted
> specific Rackspace customers. Someone might target ZoneEdit.

I meant specifically zope.org as the target for attack, not ZoneEdit.
Even if ZoneEdit is targeted, two secondaries is still enough.



> (b) None of this matters because three of us offered to host slaves!
> Why are you arguing against doing something you volunteered to do?

I'm not. I'm arguing against the higher number of secondaries that
you suggested earlier. Two secondaries is enough.

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFGVShRAx5nvEhZLIRAv1zAJ4hD5Q9btzrcAlWeBvLm5g8i+5/3QCgkZRD
icsUHJw7pgxNqBFmgZu/+5U=
=Z6RD
-----END PGP SIGNATURE-----
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web

On 9/26/06, Jens Vagelpohl <jens@dataflake.org> wrote:
> I'm not. I'm arguing against the higher number of secondaries that
> you suggested earlier. Two secondaries is enough.

I'm guessing that's fine too. I haven't had any problems for four
years, as mentioned, and i don't have secondaries, cuz I'm too lazy.
:-)
_______________________________________________
Zope-web maillist - Zope-web@zope.org
http://mail.zope.org/mailman/listinfo/zope-web