You are viewing a plain text version of this content. The canonical link for it is here.
Posted to sysadmins@spamassassin.apache.org by "Kevin A. McGrail" <ke...@mcgrail.com> on 2017/11/09 16:44:29 UTC
Re: spamassassin.org
+sysadmins
On 11/9/2017 11:07 AM, Greg Stein wrote:
> No, we do not use PowerDNS. We have a hidden master, and a couple
> parties slave/provide DNS service for us. We are consolidating all DNS
> at Namecheap, along with them being our domain registrar.
>
> At the moment, I am transferring the domain registration over to
> Namecheap. The NS records will be unchanged. I might ask the PMC to
> consider a move to ASF resources for continuity purposes (or to
> rephrase: not rely on a third party for core operations/viability).
>
> Please let me know if you have any concerns about the registrar move.
> (tho: it should be invisible)
Hi Greg,
Technically and Administratively, the Registrar has no impact on the
project. I appreciate you asking and technically if it has the same
nameservers, it won't cause any issues for the project. All we really
need is a heads-up so we can alert you if it goes wonky. Like you said,
invisible. I wouldn't even have asked us in your shoes. I defer to the
PMC but I'm a +1 on moving the registrar.
Re: moving the NS records, I'm likely one of the few PMC members
*[Working to change that with our sysadmins group] left that can speak
to this issue but defer to a vote.
TL;DR: Don't be in such a hurry to put SA DNS onto ASF Infra. It might
cause a lot of grief and the grief is currently handled so it has zero
net gain for a lot of work.
Overall, I don't support changing the status quo and here are the reasons:
- We have just rearchitected around PowerDNS for API calls. Switching
would be difficult but not impossible. But I imagine we won't have APIs
under Infra. Ignore that issue for now while you read more bullet
points below.
- I don't think it's clear that the master DNS for spamassassin.org is
on ASF infra as a hidden master now. It has ALWAYS been there since the
project moved under the ASF.
- The name servers today share the load and use distributed DNS to
Sonic, PCCC & ENA. How is consolidating a distributed, resilient DNS
system going to improve things? I'd argue you are putting all the eggs
in one basket and it's less viable.
- The number of DNS queries which were too much for ASF to handle eons
ago hence we had to take it out of infra. With work towards the goal of
an RBL, you don't want the DNS requests in house. It is going to get
worse :-)
- Side note: PCCC provided the DNS servers for SA prior to it coming
onboard with the ASF because they had horrible DNS stability and attack
issues. ~21+ years of providing DNS for the project with no outages :-)
And the SA work has been the direct cause of bringing datacenters to
their knees no less than 3 times. Ask Samuel Abramson
<sa...@shipshapeit.com> about how I accidentally shutdown Zayo in
Ashburn by accidentally redirecting our RBL traffic to their network in
the past few months. 1 stat: at that time, the RBL is every single
cPanel installation in the world and that means ALL of EIG, Godaddy,
etc. that use cPanel.
Regards,
KAM
Re: spamassassin.org
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 11/9/2017 12:06 PM, Greg Stein wrote:
>
> The short answer is: the PMC is in charge. Not a problem. My concern
> is the reliance on an informal arrangement with 3rd parties that
> underlies the SA operations. I've shared that concern, and am now
> satisfied :-)
Perfectly valid concern that I share as well. I am considering the DNS
settled from my perspective but with let you and the PMC and Chair
decide for sure.
More data:
#1 Sonic is slated to be recognized as a bronze directed sponsor* and we
have our first sponsor (silver) signing using the new sponsor agreement
I drafted. I've been talking to Sonic for a few months now and making
it not informal for the same concern.
#2 ENA & PCCC likely should get on that bandwagon as well though I will
recuse myself on the PCCC discussion. And I'm not concerned about my
firm so I'll get that ducked in a row.
#3 Namecheap's relatively high TTL's and lack of support for things like
rbldnsd don't make it a suitable candidate to be involved in the DNS for
the SA project in any foreseeable future. I'd be comfortable saying 2+
years.
Regards,
KAM
*Draft of the new sponsor thanks page. It's a WIP:
http://www.staging.apache.org/foundation/thanks2.html
Re: spamassassin.org
Posted by Greg Stein <gs...@gmail.com>.
On Thu, Nov 9, 2017 at 10:44 AM, Kevin A. McGrail <kevin.mcgrail@mcgrail.com
> wrote:
>...
> Re: moving the NS records, I'm likely one of the few PMC members *[Working
> to change that with our sysadmins group] left that can speak to this issue
> but defer to a vote.
>
> TL;DR: Don't be in such a hurry to put SA DNS onto ASF Infra. It might
> cause a lot of grief and the grief is currently handled so it has zero net
> gain for a lot of work.
>
I'm in no hurry, and not forcing any change. It's on you guys, what you'd
like to do. I merely asked for consideration. "Status quo" is totally fine.
> Overall, I don't support changing the status quo and here are the reasons:
>
> - We have just rearchitected around PowerDNS for API calls. Switching
> would be difficult but not impossible. But I imagine we won't have APIs
> under Infra. Ignore that issue for now while you read more bullet points
> below.
>
Namecheap has an API.
(I've been using it for domain management; found it easy to use, and
customer/API support has been excellent; I believe that over time, we'll
also use it to manage apache.org itself)
> - I don't think it's clear that the master DNS for spamassassin.org is on
> ASF infra as a hidden master now. It has ALWAYS been there since the
> project moved under the ASF.
>
> - The name servers today share the load and use distributed DNS to Sonic,
> PCCC & ENA. How is consolidating a distributed, resilient DNS system going
> to improve things? I'd argue you are putting all the eggs in one basket
> and it's less viable.
>
Oh, haha... no way am I suggesting we move this to ASF provision. My
current plan is to try and shift all ASF DNS provision over to Namecheap,
who provides an SLA of 100% [1]. I am happy with that one basket, and we'll
be heading in that direction, to reduce our own management/costs for DNS.
>...
The short answer is: the PMC is in charge. Not a problem. My concern is the
reliance on an informal arrangement with 3rd parties that underlies the SA
operations. I've shared that concern, and am now satisfied :-)
Cheers,
-g
[1] https://www.namecheap.com/security/premiumdns.aspx