[dns-operations] Best Practices in DNS security

[David Ulevitch]

On Mar 17, 2006, at 11:07 AM, Matt Ghali wrote:

> Assuming that your dialup customers travel, have you considered
> whether they really need to use _your_ nameservers when they are
> in topologically distant? Do you believe that this practice is
> worth the increased latency for every query which they are forced
> to tolerate?



> I may have only worked at atypical ISPs, but I never recall users
> calling to ask me to flush my nameserver's cache.

My experience:
	1) Users who should ask but don't know that's the issue so you never  
hear their complaints.
	2) Users who don't know the real problem but blame a stale cache and  
ask for a flush -- sometimes we did, sometimes it was even the real  
problem.
	2) Users who knew and never asked us because they'd just get pissed  
off and setup their own recursive nameserver.

DNS is complicated.  I think Geo's point is that most of these  
proposed changes are going to make DNS a visible problem for end- 
users rather than the hidden piece of core infrastructure it  
currently is (for most people).  I'm not saying that should stop  
progress or hamper our ability to combat abuse, far from it, just  
that we need to be aware of the changes we are advocating and what  
the end-result might be.  And with that in mind, tread lightly and  
smartly.

As someone who has a business interest in the operation of the DNS I  
think that more consumer awareness is great.  As a technologist I'm  
not so sure if it'll do anything other than annoy operators like us.

-david