
Heroku encourages use of www. prefix for domains after DDoS - erikpukinskis
http://status.heroku.com/incident/156
======
erikpukinskis
My first reaction was that this is a crock... after all, don't all the big hot
internet companies use root domains? But I looked into it, and Facebook,
Google, Apple (and Heroku) .coms all redirect to www. Only Twitter rocks the
bare root domain.

I rely heavily on root domains in my printed materials (sending people to
sproutrobot.com/water and such), but I'm starting to think redirecting users
to www--so bookmarks, social media and the like point there and the majority
of my users hit www first--is a good idea.

~~~
ryantownsend
If you were worried about non-www links working during downtime/issues, you
could setup multiple cheap hosts around the world with nothing more than a
rewrite to the www. subdomain (where your main app is hosted). Then add the
multiple IPs to your root domain's A records - that way you have no
configuration to worry about (the non-www hosts literally just redirect to the
same path on a different domain), and you don't have to worry about those
redirects going down due to DNS round robin on multiple hosts.

~~~
billpg
I'd be surprised if there isn't someone offering this as a service already.

~~~
eli
Sure, lots of commercial DNS services offer URL redirection. I know dnsmadeasy
does it, as does namecheap.

------
yuvadam
This is an interesting point. The www. prefix seems to be slowly fading away
from the landscape, but URLs without the prefix never felt like first-class
citizens on the web.

The inability to use CNAMEs in root level domains also affects other aspects,
such as load balancing [1].

[1] - [http://blog.y3xz.com/post/3920967238/the-anomaly-of-
amazon-e...](http://blog.y3xz.com/post/3920967238/the-anomaly-of-amazon-
ec2-load-balancing)

~~~
hassy
I think "www" will make a comeback with increasing popularity of non
.com/.net/.org TLDs. "whatever.io" looks like a web address to most of us
here, but not to many others, even computer-savvy "normals".

~~~
temptemptemp13
But the webadmin of "whatever.io" is probably too cool to consider
"www.whatever.io" as a viable web address for a startup company.

------
ab9
NearlyFreeSpeech.NET, a popular web host, has recommended this for years.

[http://faq.nearlyfreespeech.net/section/domainnameservice/ba...](http://faq.nearlyfreespeech.net/section/domainnameservice/baredomain#baredomain)

------
jwr
What is the difference between an A record for a domain with a short TTL and a
www CNAME with a short TTL?

In other words, doesn't a short TTL get you essentially the same thing?

~~~
mseebach
A records are name-to-IP, CNAME are name-to-name. When you control everything,
you're right, no big deal. But in this case, customers control the DNS and
Heroku the servers. Using CNAME to point to an A record at Heroku allows them
to decide what IP the traffic goes to. If you use an A record, Heroku is SOL
if they need the traffic to go to a new IP.

Posterous has a similar problem last august. They urgently needed to change to
a new IP, but all their clients were setup with A-records. Painful.

~~~
ez77
... _Heroku is SOL if they need_...

Off topic, what's the meaning of SOL in this context?

~~~
Duff
"Shit Out of Luck"

~~~
bmunro
'Square out of luck'?

~~~
telemachos
I'm pretty sure the parent is right that it's "shit out of luck". I knew it as
a military thing, and the internet seems to agree[1].

[1] <http://www.etymonline.com/index.php?term=S.O.L>. (one random link)

------
biot
Might this be an argument for a new DNS record which acts like CNAME but
doesn't have the restriction there be no other records for the same host?
Something that functions like an A record but tells the querying software that
it should use the IP address from the A record of the returned hostname. An
"ALOOKUP" record if you will.

~~~
btilly
It has frustrated me for years that DNS recognized that mail might like to
have multiple hosts that can respond to a domain, but failed to recognize that
there might someday be other protocols that would like the same.

~~~
lmz
Isn't that what SRV is for? It even has priorities. Not that web browsers use
it to locate web servers, of course...

------
mikey_p
This is pretty much par for the course with 90% of the 'cloud' offerings out
there. This is also true with various hosted application platforms where you
can add a custom domain for your blog or whatever.

There's just no way to ever rely on a single IP and guarantee that it will be
stable for consumers, without failover. Even your ISP gives you two
nameservers for that reason.

------
rlpb
SRV would fix this, but support is still lacking in Firefox in an eleven year
old bug: <https://bugzilla.mozilla.org/show_bug.cgi?id=14328>

As far as I am aware, no other browser supports it either.

------
pimeys
Amazon's Elastic Load Balancer supports only CNAMEs, so a redirect to www
subdomain is the only option for us to use the load balancer, and I think the
situation won't get any better...

------
WALoeIII
The limitation of the root can (and will, I predict) be overcome by combining
host and dns provider APIs. If Heroku had a way to push A record changes up to
applications using their infrastructure they would be able to deal with this
sort of issue.

This is also the promise of Amazon's Route 53 combined with their Elastic Load
Balancing service which I hope will be released soon. Your DNS could
dynamically serve A record IPs for the ELB, and you save the client the 2nd
DNS resolution for the CNAME, faster and more dynamic.

For more:
[https://forums.aws.amazon.com/thread.jspa?threadID=63893&...](https://forums.aws.amazon.com/thread.jspa?threadID=63893&tstart=15)

------
athst
They should update their dev center docs with this! I just followed their own
instructions to set up DNS, which are to put in the IP addresses rather than
the proxy. Kinda funny this came up right after I did it.

~~~
athst
nvm, I misread - they're only talking about subdomains and not the primary
domain

------
norova
For what it's worth, CloudFlare (<http://www.cloudflare.com>) allows the use
of CNAMES for the root domain.

~~~
SwellJoe
That would be a violation of the DNS specification, and won't work with DNS
servers that are compliant to the specification (i.e. BIND). Section 2.4 of
1912:

2.4 CNAME records

    
    
       A CNAME record is not allowed to coexist with any other data.  In
       other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
       can't also have an MX record for suzy.podunk.edu, or an A record, or
       even a TXT record.  Especially do not try to combine CNAMEs and NS
       records like this!:
    
    
               podunk.xx.      IN      NS      ns1
                               IN      NS      ns2
                               IN      CNAME   mary
               mary            IN      A       1.2.3.4
    
    
       This is often attempted by inexperienced administrators as an obvious
       way to allow your domain name to also be a host.  However, DNS
       servers like BIND will see the CNAME and refuse to add any other
       resources for that name.  Since no other records are allowed to
       coexist with a CNAME, the NS entries are ignored.  Therefore all the
       hosts in the podunk.xx domain are ignored as well!

------
cagenut
Seriously a SYN flood? How 90's.

Side affect of running on AWS, you can't use a "real" firewall.

Even then don't they use ha-proxy up front? I'm surprised this was an issue.

~~~
jemfinch
HA Proxy isn't going to protect their pipe from congestion. Null routing the
ip that's getting flooded will.

~~~
kordless
Until someone builds an attack suite that re-resolves the names in the middle
of the attack.

------
Joakal
What's the point in a random DDoS against Heroku?

~~~
delinka
I often get questions like this from non-tech folk. "Why would someone hack my
computer? Why would they attack my little web site?"

And often it's simply "because they can."

~~~
JakeSc
Increasingly, however, the answer has had more to do with economics, rather
than bragging rights.

------
franze
i want to bring up another - unrelated - point for "why a www subdomain is a
good idea". the answer is: stupid CMS. forums, comment sections, press release
distribution services, ... sometimes have issues to correctly transform non-
www domain names into clickable links.

~~~
danneu
aren't most cases triggered by "<http://> rather than "www"?

------
smountcastle
I wonder if Heroku could benefit from some DDoS protection such as this:
[http://verisigninc.com/en_US/products-and-
services/network-i...](http://verisigninc.com/en_US/products-and-
services/network-intelligence-availability/ddos/index.xhtml)

