[dns-operations] opting in to stupid DNS tricks

Jim Reid jim at rfc1035.com
Mon Feb 21 11:23:42 UTC 2011

On 19 Feb 2011, at 15:20, Patrick W. Gilmore wrote:

> Just checking the three largest sites I know off the top of my head (www.facebook.com 
> , www.google.com, www.yahoo.com), all three return different A  
> records depending on which source IP address requests the hostname.

Which is of course stupid because the IP address making the lookup is  
almost certainly not the IP address of the end client. So they're  
"optimising" for some recursive resolver rather than the end user's  
stub resolver that made the initial query.

I wonder what these DNS tricksters are going to do if/when these zones  
deploy Secure DNS.

BTW, I still don't understand why CDNs are abusing the DNS to solve  
something that is actually a routing problem. What's wrong with  
anycasting the IP address(es) of the web site or whatever? That way,  
the network figures out the truly optimal path (peering policies  
aside) between the end client and the content provider's server. Yes,  
I realise this may break TCP connections sometimes, but how much of a  
real problem is this? Has anyone got hard data about this?

> Therefore, you know damned well that Akamai (and all other CDNs,  
> large websites, and anyone else who publishes heterogeneous A  
> records) is 100% opt-in.

You must be using a different definition of opt-in. This term  
generally means getting explicit consent beforehand. I don't remember  
any of these CDNs ever asking me if I wanted to (not) depend on their  
stupid DNS tricks. Anyone looking up names like the ones you mentioned  
is of course 100% dependent on this DNS trickery. But please don't  
imply they have opted in to it. And anyway just because lots of people  
do something doesn't make it right or desirable. Lots of people drink  
a US-produced liquid called Budweiser.

FWIW it's also very annoying (and stupid) to be presented with content  
which the CDN thinks is relevant for the country where it believes the  
resolving name server I've used is located rather than for the country  
actually I'm in or the language(s) I understand. We can agree to  
disagree about that.

More information about the dns-operations mailing list