28 November, 2006

DNS Continued

Some good DNS Discussion occuring.

Jake Brodsky brought out some good points against the use of strictly DNS.

First, it is yet another service vulnerable to attack.

Second, despite redundancies and the like, it still represents an additional point of failure.

Third, DCS networks aren't so large that one is not able to use a host file effectively.

Fourth, the use of host files does not preclude the use of a DNS. One can configure nslookup to try host file addresses first, and then if not found, to try a DNS.

Fifth, the use of raw IP addresses can avoid the use of the nslookup latencies altogether. Thus, even if the name service infrastructure is compromized, you can still have other functional bits of software.


All of these are true and I'll add another.

In general Control systems are more static than a normal IT environment so there is less or no need for a dynamic naming environment. Where an IT server might go for months or even years without changing its address a control system is sometimes intended to go fo decades. (though I suspect this time cycle will shorten if it hasn't already)

Now it is time to flip my hat. In retrospect the points I emphasized to critisize normal naming practices were the wrong ones.

So to be more specific:

Many (most?) control systems I have looked at not only had host files, but the host files on machine A were different from the ones on machine B even though B was a backup for A. Futhermore often the names no longer match to existing IP addresses. There are certainly valid reasons for even these items to sometimes to occur but it always looked pretty sloppy to me. The same statement with some changes apply do DNS settings and direct IP entry. Honestly this is probably more of a problem with general maintenance and attention to detail than one specific to naming. So if you are an engineer perhaps it would be worth it to add an anunual maintenance item to rationalize the naming environment for your control environment.

Control Systems engineers certainly don't have a monopoly in this area. They do seem to be more inclined to it in the naming area whereas IT folk are more inclined to sloppiness in the documentation area and others. Perhaps this is a function of the Vets vs. Doctors statement that Ron mentioned in his comment.

No comments: