[dns-operations] Google Public DNS and round robin records

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jul 23 09:00:08 UTC 2012

On Sun, Jul 22, 2012 at 06:26:19PM +0000,
 Vernon Schryver <vjs at rhyolite.com> wrote 
 a message of 51 lines which said:

> A problem with that might be the increased load on authoritative
> servers due to caching disbursed among zillions of clients,

[TLD operator hat on.]

Yes, this is a problem. dnssec-trigger
<http://www.nlnetlabs.nl/projects/dnssec-trigger/> has the right
solution, testing the provided (by DHCP or RA) resolvers and use them
as forwarders if they work (most hotel resolvers are so broken that
you cannot use them as forwarders). This keeps the benefits of a
shared cache, while providing local DNSSEC validation.

Note that dnsssec-trigger tests only the technical working of the
resolver (return large DNSSEC replies, no stripping of NSEC3 records,
etc). The problem of lying resolvers is still a big issue.

More information about the dns-operations mailing list