[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cloudflare is down

On 3 March 2013 23:31, Saku Ytti <saku at ytti.fi> wrote:
> On (2013-03-03 12:46 -0800), Constantine A. Murenin wrote:
>> Definitely smart to be delegating your DNS to the web-accelerator
>> company and a single point of failure, especially if you are not just
>> running a web-site, but have some other independent infrastructure,
>> too.
> To be fair, most of us probably have harmonized peering edge, running one
> vendor, with one or two software releases and as as such as susceptible to
> BGP update taking down whole edge.
> I'm not comfortable personally to point cloudflare and say this was easily
> avoidable and should not have happened (Not implying you are either).

The issue I have is not with their network.

The issue is that they require ALL of their customers to hand over DNS
control, and completely disregard any kind of situation as what has
just happened.

* They don't provide any IP-addresses which you can set your A or AAAA
records to.

* They don't provide any hostnames which you can set a CNAME to.
(Supposedly, they do offer CNAME support to paid customers, but if you
look at their help page for CNAME support, it's clearly evident that
it's highly discouraged and effectively an unsupported option.)

* They don't let you AXFR and mirror the zones, either.

So, the issue here, is that a second point of failure is suddenly
introduced to your own harmonised network, and introduced in a way as
to suggest that it's not a big deal, and will make everything better

In actuality, this doesn't even stop their users from going the
unsupported route:  I've seen some relatively major and popular
hosting provider turn over their web-site to CloudFlare when it was
under attack, but they did it with an A record, potentially to not
suffer a complete embarrassment of having `whois` show that they don't
even use the nameservers that they provide to their own users.

> Even if cloudflare had been running out-sourced anycast DNS with many
> vendor edge, the records had still been pointing out to a network which you
> couldn't reach.

This is where you have it wrong.  DNS is not only useful for http.
Yet CloudFlare only provides http-acceleration.  Yet they do require
that you delegate your domains to the nameservers on their own
single-vendor network, with no option to opt-out.

I don't think they should necessarily be running an out-sourced DNS,
but I do think that they should not make it a major problem for users
to use http-acceleration services without DNS tie-ins.  Last I
checked, CloudFlare didn't even let you setup just a subdomain for
their service, e.g. they do require complete DNS control from the
registrar-zone level, all the time, every single time.