[dns-operations] opting in to stupid DNS tricks

Patrick W. Gilmore patrick at ianai.net
Mon Feb 21 14:55:24 UTC 2011

On Feb 21, 2011, at 6:23 AM, Jim Reid wrote:
> On 19 Feb 2011, at 15:20, Patrick W. Gilmore wrote:
>> Just checking the three largest sites I know off the top of my head (www.facebook.com, www.google.com, www.yahoo.com), all three return different A records depending on which source IP address requests the hostname.
> Which is of course stupid because the IP address making the lookup is almost certainly not the IP address of the end client. So they're "optimising" for some recursive resolver rather than the end user's stub resolver that made the initial query.

Just so we are clear, you are saying that if someone makes an approximation on the Internet which is good for high 90s percent of the userbase, it is 'stupid'.

I'm sure people who use other tools which are not 100% precise are glad you chose such iron-clad technical arguments as "stupid".

If you don't like that, you don't have to use those web pages.  Not sure why it bothers you that other people use those pages though.

> I wonder what these DNS tricksters are going to do if/when these zones deploy Secure DNS.

Feel the pain everyone else feels? :)

Again, not really sure what that has to do with you, though.

> BTW, I still don't understand why CDNs are abusing the DNS to solve something that is actually a routing problem. What's wrong with anycasting the IP address(es) of the web site or whatever? That way, the network figures out the truly optimal path (peering policies aside) between the end client and the content provider's server. Yes, I realise this may break TCP connections sometimes, but how much of a real problem is this? Has anyone got hard data about this?

I can explain it to you, but I honestly believe you do not want to know.  Read your own posts - "stupid", "abuse", "trickster".  If I posted "these stupid Jim people, who are constantly abusing my web server, using tricks to get around my stuff, why does he do that?", would you be inclined to spend time educating me?

If you do want to know, there are resources on the 'Net which can help you figure this out.  I am also willing to spend some time explaining it to you if you tell me, honestly, that you are willing to listen and not just looking for a reason to bitch some more.  I go to many conferences and (obviously) read too many mailing lists.  It shouldn't be hard to find representatives of the other "tricksters" to help you out as well.

>> Therefore, you know damned well that Akamai (and all other CDNs, large websites, and anyone else who publishes heterogeneous A records) is 100% opt-in.
> You must be using a different definition of opt-in. This term generally means getting explicit consent beforehand.

[* - see below, not really relevant to the thread]

> I don't remember any of these CDNs ever asking me if I wanted to (not) depend on their stupid DNS tricks. Anyone looking up names like the ones you mentioned is of course 100% dependent on this DNS trickery. But please don't imply they have opted in to it. And anyway just because lots of people do something doesn't make it right or desirable. Lots of people drink a US-produced liquid called Budweiser.

We can argue over the semantics of "opt-in" if you like.  Or we can agree that when you ask me to resolve an A record, _you_ are contacting _me_.

Along those lines, you cut out part of my post:
Put another way, if you don't like how our customers serve their traffic (or Google, or Yahoo!, or Facebook, or Limelight, or Level 3, or China Cache, or AT&T, or Tata, or ...), don't use those web pages.

Trying to say I cannot respond with whatever IP address I like when you ask me for a hostname sounds to me like: "I went to www.$FOO.com and they served me a banner ad.  I did not opt-in to that advertising!"

> FWIW it's also very annoying (and stupid) to be presented with content which the CDN thinks is relevant for the country where it believes the resolving name server I've used is located rather than for the country actually I'm in or the language(s) I understand. We can agree to disagree about that.

I think that's annoying too!

However, just to clear up a few things, CDNs are not the only companies that get geo-localization wrong.  And there is the fact most web page localizations (including all the Akamai ones I've seen) use the client IP address, not the name server IP address.  But please don't let things like facts get in the way of rant against CDNs.

Sometimes life sux and people or systems Get Things Wrong.  Geo-IP databases are not 100% precise, just like using recursive NS as a proxy for end users.  Guess you can stop using those web pages as well.


From <http://www.google.com/search?q=define%3Aopt-in>:

• To choose to participate in something

To choose to participate in something sounds _exactly_ like "go to this web page".

There are more definitions, such as:

• Of a selection, the property of having to choose explicitly to join or permit something; a decision having the default option being exclusion or avoidance; used particularly with regard to mailing lists and advertisement

I would argue the default option is exclusion.  The default being not typing "www.$FOO.com" into your browser.  You have to make a proactive, intentional decision to get the page.  We aren't sending A records to random recursive NSes for the hell of it.

[Etc., etc.]

But like I said above, semantics is not the point.  Or at least I hope it isn't!

More information about the dns-operations mailing list