[dns-operations] [Nst] A Case Against DNSSEC (A Matasano Miniseries)

Paul Vixie paul at vix.com
Thu Apr 5 15:44:20 UTC 2007

> > The second thing is that this _does_ create two classes of Internet user
> > (I suppose a better analogy is "two classes of Internet neighbourhood"):
> > those who get "shielded" and those who don't.  I don't know whether I
> > think this is good or bad, but it is something one had better acknowledge,
> > I think -- and certainly is something one oughtn't to deny.  Whether there
> > is a practical effect of that two-class arrangement I don't know.
> Improving the qualitative security/availability of the DNS infrastructure
> for any group/class/number of users without breakage is an unalloyed good, I
> don't see how one could think otherwise?

one could think otherwise if there was any evidence that the creation of a
tiered structure meant that the "have-nots" were getting worse service than
they would in a one-tier world, or if the cost of entering the higher tier
were beyond the means of most isp's.  i've seen no such evidence to date.

consider f-root's anycast plans as an illuminative example.  we're in 40+
IXP's around the world, all of whom sponsor us with free services (racks,
power, etc) and most of whom also sponsor us with equipment and money.  (we
seek grants from third parties to sponsor interested IXPs who can't afford
equipment and/or money.)  now on the one hand, member/customer ISPs of IXPs
where f-root is present, receive better f-root service than other ISPs, but
on the other hand, the barrier to parity for those other ISPs is very low,
and furthermore, the entire community benefits from the better reachability
of this name server to the subset of the community who actually reaches it.
there are in other words no losers.  our global nodes are no longer carrying
the majority of our traffic -- so f-root's reliance on donated transit is
now lower than our reliance on donated IXP capacity.  this has flattened our
growth curve at the global nodes, meaning that we only have to grow server
and link capacity at moore's law speeds rather than exponentially as before.

now enter dns shield.  f-root's participation is limited to those ISP's we
do not peer with, since we prefer not to add extra moving parts that aren't
paying their way in improved reachability for somebody somewhere.  so, when
we add a shield instance, we're (a) reducing load on some global node
somewhere, and (b) removing some ISP from the gunsights of the DDFH gangs.
again i see no losers.  note that we're still entering every IXP who will
sponsor us, and if someone other than neu-ultra invited us to ride along on
an inside-the-ISP deal we'd be ready to talk about that, and if an ISP wanted
to sponsor us directly (with no IXP and no ride-along) we'd be ready to talk
about that, too.

if someone wants to show that tiered service is bad somehow, then i'll ask
that you begin by identifying an actual loser in the arrangement.  someone
whose quality of service goes down, or whose costs go up.  and make it an
actual loss plz, not a potential one.  if you can only think of potential
losses then plz identify the specific circumstances under which you think
that potential might exist, and ask whether the parties doing these kinds
of tiered service deals have guarded against those circumstances.

More information about the dns-operations mailing list