Home > Security > On The Distinct Unlikeliness of Rolling Blackouts From Vista DNS

On The Distinct Unlikeliness of Rolling Blackouts From Vista DNS

September 6, 2006 Leave a comment Go to comments

Paul Mockapetris says Vista is going to take down the Internet’s DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn’t hate me for the things I’d done to his creation 🙂 Paul knows DNS. It’s his creation. But you’ll note in this story that Joris Evers can’t actually find anyone who agrees with Paul.

There’s a reason.

First, while there are indeed a couple underprovisioned name servers, there’s far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista’s release, would fail because of a three day weekend.

Second, Vista’s not getting deployed all at once. This is no service pack that’s deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.

Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.

Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their “Blue Hat Hacker” external pen-testing squad. But then, Mockapetris’s company, Nominum, has written a really impressive name server for his company that can handle about 4x the load of BIND. But this isn’t about who we are; it’s about what is or isn’t going to collapse. There are things to worry about. This isn’t one of them.

Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: