Re: spamassassin.org

["Kevin A. McGrail" <ke...@mcgrail.com>]

+sysadmins

On 11/9/2017 11:07 AM, Greg Stein wrote:
> No, we do not use PowerDNS. We have a hidden master, and a couple 
> parties slave/provide DNS service for us. We are consolidating all DNS 
> at Namecheap, along with them being our domain registrar.
>
> At the moment, I am transferring the domain registration over to 
> Namecheap. The NS records will be unchanged. I might ask the PMC to 
> consider a move to ASF resources for continuity purposes (or to 
> rephrase: not rely on a third party for core operations/viability).
>
> Please let me know if you have any concerns about the registrar move. 
> (tho: it should be invisible)

Hi Greg,

Technically and Administratively, the Registrar has no impact on the 
project.  I appreciate you asking and technically if it has the same 
nameservers, it won't cause any issues for the project. All we really 
need is a heads-up so we can alert you if it goes wonky.  Like you said, 
invisible.  I wouldn't even have asked us in your shoes.  I defer to the 
PMC but I'm a +1 on moving the registrar.


Re: moving the NS records, I'm likely one of the few PMC members 
*[Working to change that with our sysadmins group] left that can speak 
to this issue but defer to a vote.

TL;DR: Don't be in such a hurry to put SA DNS onto ASF Infra. It might 
cause a lot of grief and the grief is currently handled so it has zero 
net gain for a lot of work.

Overall, I don't support changing the status quo and here are the reasons:

- We have just rearchitected around PowerDNS for API calls. Switching 
would be difficult but not impossible.  But I imagine we won't have APIs 
under Infra.  Ignore that issue for now while you read more bullet 
points below.

- I don't think it's clear that the master DNS for spamassassin.org is 
on ASF infra as a hidden master now.  It has ALWAYS been there since the 
project moved under the ASF.

- The name servers today share the load and use distributed DNS to 
Sonic, PCCC & ENA.  How is consolidating a distributed, resilient DNS 
system going to improve things?  I'd argue you are putting all the eggs 
in one basket and it's less viable.

- The number of DNS queries which were too much for ASF to handle eons 
ago hence we had to take it out of infra.  With work towards the goal of 
an RBL, you don't want the DNS requests in house.  It is going to get 
worse :-)

- Side note: PCCC provided the DNS servers for SA prior to it coming 
onboard with the ASF because they had horrible DNS stability and attack 
issues.  ~21+ years of providing DNS for the project with no outages :-)

And the SA work has been the direct cause of bringing datacenters to 
their knees no less than 3 times.  Ask Samuel Abramson 
<sa...@shipshapeit.com> about how I accidentally shutdown Zayo in 
Ashburn by accidentally redirecting our RBL traffic to their network in 
the past few months.  1 stat:  at that time, the RBL is every single 
cPanel installation in the world and that means ALL of EIG, Godaddy, 
etc. that use cPanel.

Regards,

KAM

Re: spamassassin.org

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 11/9/2017 12:06 PM, Greg Stein wrote:
>
> The short answer is: the PMC is in charge. Not a problem. My concern 
> is the reliance on an informal arrangement with 3rd parties that 
> underlies the SA operations. I've shared that concern, and am now 
> satisfied :-)

Perfectly valid concern that I share as well.  I am considering the DNS 
settled from my perspective but with let you and the PMC and Chair 
decide for sure.

More data:

#1 Sonic is slated to be recognized as a bronze directed sponsor* and we 
have our first sponsor (silver) signing using the new sponsor agreement 
I drafted.  I've been talking to Sonic for a few months now and making 
it not informal for the same concern.

#2 ENA & PCCC likely should get on that bandwagon as well though I will 
recuse myself on the PCCC discussion.  And I'm not concerned about my 
firm so I'll get that ducked in a row.

#3 Namecheap's relatively high TTL's and lack of support for things like 
rbldnsd don't make it a suitable candidate to be involved in the DNS for 
the SA project in any foreseeable future. I'd be comfortable saying 2+ 
years.

Regards,

KAM


*Draft of the new sponsor thanks page.  It's a WIP: 
http://www.staging.apache.org/foundation/thanks2.html

Re: spamassassin.org

[Greg Stein <gs...@gmail.com>]

On Thu, Nov 9, 2017 at 10:44 AM, Kevin A. McGrail <kevin.mcgrail@mcgrail.com
> wrote:
>...

> Re: moving the NS records, I'm likely one of the few PMC members *[Working
> to change that with our sysadmins group] left that can speak to this issue
> but defer to a vote.
>
> TL;DR: Don't be in such a hurry to put SA DNS onto ASF Infra. It might
> cause a lot of grief and the grief is currently handled so it has zero net
> gain for a lot of work.
>
I'm in no hurry, and not forcing any change. It's on you guys, what you'd
like to do. I merely asked for consideration. "Status quo" is totally fine.

> Overall, I don't support changing the status quo and here are the reasons:
>
> - We have just rearchitected around PowerDNS for API calls.  Switching
> would be difficult but not impossible.  But I imagine we won't have APIs
> under Infra.  Ignore that issue for now while you read more bullet points
> below.
>
Namecheap has an API.

(I've been using it for domain management; found it easy to use, and
customer/API support has been excellent; I believe that over time, we'll
also use it to manage apache.org itself)

> - I don't think it's clear that the master DNS for spamassassin.org is on
> ASF infra as a hidden master now.  It has ALWAYS been there since the
> project moved under the ASF.
>
> - The name servers today share the load and use distributed DNS to Sonic,
> PCCC & ENA.  How is consolidating a distributed, resilient DNS system going
> to improve things?  I'd argue you are putting all the eggs in one basket
> and it's less viable.
>
Oh, haha... no way am I suggesting we move this to ASF provision. My
current plan is to try and shift all ASF DNS provision over to Namecheap,
who provides an SLA of 100% [1]. I am happy with that one basket, and we'll
be heading in that direction, to reduce our own management/costs for DNS.

>...

The short answer is: the PMC is in charge. Not a problem. My concern is the
reliance on an informal arrangement with 3rd parties that underlies the SA
operations. I've shared that concern, and am now satisfied :-)

Cheers,
-g

[1] https://www.namecheap.com/security/premiumdns.aspx