[arin-ppml] ARIN-prop-167 Removal of Renumbering Requirement for Small Multihomers
mysidia at gmail.com
Sat May 5 13:42:41 EDT 2012
On 5/3/12, William Herrin <bill at herrin.us> wrote:
> Due respect Jimmy, read up on DNS pinning. The whole point is to hold
> the first IP address beyond the the TTL. It's the solution to a
DNS pinning comes into play, only for low-TTL records. Keep the TTL
for your DNS records 86400 or higher, and there is no pinning.
DNS Pinning is an "excuse", not a legitimate reason not to renumber.
The specified security function of DNS pinning for low TTL records is
to a specific prevent rebinding attack which is a time-sensitive
attack -- DNS pinning anything without a low TTL was not part of the
spec and would be uncalled for. Noone here has actually identified
any commonly used browser that has DNS pinning which is broken in the
There is no documented proof available that specific implementations
of DNS pinning are broken, or that it is a real issue even over a
transition staged over a substantial length of time.
Again, browser windows don't get left open for 2 months, let alone 6 or 12.
It is pretty much unheard of, unless, that browser is solely being
pointed to your one site and doing nothing else, over the entire
timeframe, with the page constantly being loaded, for the purpose of
intentionally having an issue.
Web browsers aren't that stable, require constant updates due to bugs
in plugins such as Flash/Acrobat, and don't see those kinds of
uptimes, even if the browser has a broken implementation that does DNS
PIN until restart.
Heck... Desktop OSes are not that stable, and it is critical that
they be updated frequently; uptimes above 30 days are rare, 6
month uptimes are almost unheard of,
And the policy provides 12 months.
It's certainly feasible to transition DNS records for 255 hosts within 90 days,
have your IT staff provide a period of dual-IP of sufficient length
so that requests to the old
address become vanishingly small.
Require your IT staff to monitor requests that do come in at the old
IP address, after a period of time, and identify any issues, repeat
until all issues are gone.
And i'm sure ARIN can offer some sort of extension to the 12 months
with good cause (?)
There is no pain whatsoever involved, given enough time, and 12
months is a lot of time. Renumbering is a simple incremental
More information about the ARIN-PPML