[dns-operations] Best Practices in DNS security
davidu at everydns.net
Fri Mar 17 19:56:41 UTC 2006
On Mar 17, 2006, at 11:07 AM, Matt Ghali wrote:
> Assuming that your dialup customers travel, have you considered
> whether they really need to use _your_ nameservers when they are
> in topologically distant? Do you believe that this practice is
> worth the increased latency for every query which they are forced
> to tolerate?
> I may have only worked at atypical ISPs, but I never recall users
> calling to ask me to flush my nameserver's cache.
1) Users who should ask but don't know that's the issue so you never
hear their complaints.
2) Users who don't know the real problem but blame a stale cache and
ask for a flush -- sometimes we did, sometimes it was even the real
2) Users who knew and never asked us because they'd just get pissed
off and setup their own recursive nameserver.
DNS is complicated. I think Geo's point is that most of these
proposed changes are going to make DNS a visible problem for end-
users rather than the hidden piece of core infrastructure it
currently is (for most people). I'm not saying that should stop
progress or hamper our ability to combat abuse, far from it, just
that we need to be aware of the changes we are advocating and what
the end-result might be. And with that in mind, tread lightly and
As someone who has a business interest in the operation of the DNS I
think that more consumer awareness is great. As a technologist I'm
not so sure if it'll do anything other than annoy operators like us.
More information about the dns-operations