On Aug 7, 2025, at 9:41 PM, John Todd via NANOG <[email protected]> wrote:
> we split traffic on the "back-end" between PowerDNS recursor and Unbound Using multiple products is definitely best practice. At my company, we have half of our (anycasted) authoritative DNS servers using BIND, and the other half using PowerDNS. If you don't do this, you can be vulnerable to something like CVE-2025-40775, where an attacker can terminate all your DNS servers simultaneously by sending each a malicious packet. Or maybe there's some other bug in the software that makes it randomly crash at a certain time. If this happens, you want to make sure that only half of them go offline. -- Robert L Mathews _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/6IXHN4JQQ6QVHT5DSTCQTTLZN3V7PUOC/
