1 |
On Wednesday 17 August 2011 23:51:12 Alan McKinnon wrote: |
2 |
|
3 |
> Long long ago (in the 90s) when a current colleague started working |
4 |
> here, he wanted access to the hidden primary (like your ns00). |
5 |
> |
6 |
> He was given a bare machine (no OS) with these instructions: |
7 |
> |
8 |
> It's 10am, by 4pm I want a name server running on that hardware, |
9 |
> authoritative for domain xxx.yyy.zzz, live on the internet, with |
10 |
> firewall installed and all reasonable security precautions taken. You |
11 |
> do not have to register xxx.yyy.zzz with any registrar, we will test |
12 |
> it with "dig @". |
13 |
> |
14 |
> He passed :-) |
15 |
|
16 |
A better man than me! |
17 |
|
18 |
> The same fellow 3 years later found one day that the company zone had |
19 |
> not loaded after an update (the name servers are self-hosted in that |
20 |
> zone) and the support person that did it had done it twice before |
21 |
> recently. Ten minutes later an ACL was in place and only systems could |
22 |
> edit the zone. The entire company was told to propose sub-domains for |
23 |
> their own teams and systems would delegate them - the uproar was |
24 |
> fantastic but he stood his ground. He was 100% right of course and we |
25 |
> still benefit today. |
26 |
> |
27 |
> Lessons learned: |
28 |
> - do not ever mess with your DNS admin |
29 |
> - $DEITY says "sir" in hushed tones when addressing the dns admin |
30 |
|
31 |
I enjoyed that tale - thank you Alan. |
32 |
|
33 |
-- |
34 |
Rgds |
35 |
Peter Linux Counter 5290, 1994-04-23 |