?

Log in

No account? Create an account

fanf

Amazon "Route 53" authoritative DNS service

« previous entry | next entry »
7th Dec 2010 | 08:21

What a disappointing offering.

To be fair, they are providing a cheap, high volume, globally distributed, authoritative DNS service. I expect they will do this as superbly as their other cloud hosting services.

But they are using obsolete unmaintained software for the DNS servers. This has two clearly bad consequences:

Firstly, they don't support DNSSEC.

Secondly, they have invented their own API for updating the DNS instead of using the standard dynamic update protocol.

ETA: Thirdly (but not a djbdns problem) they don't support AXFR, let alone NOTIFY and IXFR, which means that Route 53 cannot be used as a secondary DNS service for a primary you run, nor can you set up a local slave of your Route 53 zones.

I admit that they would have to have their own API for provisioning zones, since there is not yet a standard way to do that - and in fact BIND is only just getting its own API for dynamic zone provisioning. But I doubt I'll see Amazon staff on the IETF lists working to help standardize a provisioning protocol if they don't even support DNSSEC or standard dynamic updates.

| Leave a comment | Share

Comments {20}

Jan-Piet Mens

Unbelievable

from: jpmens
date: 7th Dec 2010 08:49 (UTC)

I picked up the djbdns-tidbit somewhere yesterday, and I can still hardly believe that AWS actually deployed that in today's day and age. Fully agree that non-availability of DNSSEC makes the route53 offering "sub-optimal".

Dynamic updates would have been good, but I understand their deployment of their own API, which must fit into the rest (pun not intended) of their services.

Reply | Thread

Tony Finch

Re: Unbelievable

from: fanf
date: 7th Dec 2010 10:41 (UTC)

Having their own API is nice for their users who are used to RESTful interfaces, but I tend to think it should be implemented as a shim over the native DNS update protocol.

Reply | Parent | Thread

Sheep with a guitar

from: sbp
date: 7th Dec 2010 13:55 (UTC)

Wuh?

Reply | Thread

Tony Finch

from: fanf
date: 7th Dec 2010 13:58 (UTC)

What are you puzzled by?

Reply | Parent | Thread

Jan-Piet Mens

No IPv6

from: jpmens
date: 7th Dec 2010 14:22 (UTC)

They don't support IPv6 either.

Reply | Thread

Tony Finch

Re: No IPv6

from: fanf
date: 7th Dec 2010 14:44 (UTC)

They support IPv6 reverse DNS zones and AAAA records, but their nameservers do not themselves have IPv6 addresses.

Reply | Parent | Thread

Res facta quae tamen fingi potuit

from: pauamma
date: 7th Dec 2010 15:05 (UTC)

Please tell me their MX doesn't run qm**l.

Reply | Thread

Tony Finch

from: fanf
date: 7th Dec 2010 15:12 (UTC)

I love explaining to people how broken qmail is when they complain they can't get email through to cam.ac.uk :-) (We use DNSSEC and qmail fails when it brokenly makes an ANY query with a broken buffer that is too small for the reply.)

Reply | Parent | Thread

Res facta quae tamen fingi potuit

from: pauamma
date: 7th Dec 2010 16:33 (UTC)

Yeah. "More broken than Exchange" comes to mind.

Reply | Parent | Thread

Roy

from: owdbetts
date: 11th Dec 2010 13:43 (UTC)

Ah, well I don't think DJB approves of DNS packets bigger than 512 bytes :-)

I don't think he approves of (and therefore supports) DNS over TCP, either.

Isn't the official answer that you're supposed to use qmail with tinydns as your resolver, and then everything works (although I'm skeptical things actually work properly even then)?

-roy

Reply | Parent | Thread

cozminsky

from: cozminsky
date: 14th Dec 2010 09:49 (UTC)

You can run axfrdns if you want tcp service, although I've never managed to get the security settings in the config file to deny axfr but allow regular tcp queries.

Reply | Parent | Thread

Malc

from: mas90
date: 7th Dec 2010 17:57 (UTC)

I expect they will do this as superbly as their other cloud hosting services.
I hope this was intended as ironic. I have a pet rant about AWS which I will hopefully get around to posting soon.

Reply | Thread

Roy

from: owdbetts
date: 11th Dec 2010 13:39 (UTC)

I don't know if it's so much unmaintained, or if DJB just regards it as finished :-)

I'm pretty sure the main reason it doesn't support DNSSEC (and probably never will) is because DJB doesn't approve of DNSSEC (remember he was pushing DNSCurve). I suspect AXFR and NOTIFY fall into the same category (I think he expects you to sync your zone files by some out-of-band means).

I don't really understand why people like it, but is does seem to have its followers -- I guess it is very lightweight compared to BIND.

-roy

Reply | Thread

Tony Finch

from: fanf
date: 11th Dec 2010 20:58 (UTC)

Anything that doesn't even compile on modern Unix is not maintained. DJB believes he can write extern int errno and not bother with errno.h which is not true on multithreaded systems.

For zone transfer he believes in rsync, which is better than AXFR but much worse than notify+IXFR+TSIG.

DNSSEC and DNSCURVE are solving completely different problems. DNSSEC authenticates data but DNSCURVE authenticates servers. As such it is basically equivalent to TSIG plus DJB's favourite cipher plus a cunning key distribution scheme. It's likely that curve 25519 will be added to the DNSSEC cipher suite.

Reply | Parent | Thread

Ross

from: crazyscot
date: 13th Dec 2010 19:41 (UTC)

djbdns does support both axfr and TCP, says my dim memory of when I was running it on hardware that didn't have enough flash to run bind - just that it's handled by a sister daemon.

Reply | Parent | Thread

cozminsky

from: cozminsky
date: 14th Dec 2010 09:54 (UTC)

I like the fact that it doesn't have zones in the data file, that it deals with forward and reverse automatically (although automatic AAAA reverse requires a patch floating around somewhere). I'm still running it for my personal domains, but the limitations of no dnssec and dynamic updates from my dhcp server are really starting to grate. I'm investigating nsd for my domains and unbound as a resolver when I get around to it.

Reply | Parent | Thread

painter 11

from: anonymous
date: 17th Jan 2011 06:56 (UTC)

Brilliant blog post, lots of helpful knowledge.

Reply | Thread

No Idea

from: anonymous
date: 24th Jan 2011 08:40 (UTC)

Sorry to have to inform you, but most of what you think you know is wrong. Please read: http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/djbdns-myths-dispelled.html

Reply | Thread

Tony Finch

Re: No Idea

from: fanf
date: 24th Jan 2011 10:33 (UTC)

That page does not disagree with my statements that djbdns does not support DNSSEC and dynamic update. Also it doesn't support notify and ixfr. Even though djbdns supports axfr, Amazon does not.

Like djbdns that page has been rather left behind by developments in the DNS world in the last 8 years.

Reply | Parent | Thread

don't go for falsification of djbdns

from: anonymous
date: 19th Aug 2012 09:46 (UTC)

go through the documentation thoroughly before coming to conclusion.
http://cr.yp.to/djbdns/axfr-clarify.html follow this link to know more about what is supported and what is not and WHY...

Reply | Thread