[dns-operations] Capturing 18.104.22.168 Traffic
vjs at rhyolite.com
Mon Feb 25 21:14:31 UTC 2013
> From: "Carlos M. Martinez" <carlosm3011 at gmail.com>
> That said, there is something to be said for easy-to-remember,
> easy-to-type, DNS addresses. Why not write an I-D asking IANA for a
> couple of very easy addresses that we can all agree to locally anycast ?
It's one thing to use the anycast authoritative servers and the various
branded anycast recursive servers, but something else to use unknown
recursive servers that would make unpredicable and effectively random
improvements to DNS responses. Those improvements would be unpredictable
and random, because you could not predict which of the many servers
that "we all" run would be used 10 minutes from now when your local
instance is down for maintenance or the target of an attack.
You can believe Google's answer the question to "Do you fudge DNS
data?", but if not, then you should never have considered using Google's
servers. (Never mind that you should be validating DNSSEC in or very
close to applications so that question is operationally irrelevant.)
No matter how some of the operators of those severs that "we all"
run answered that question, the answer would be content free noise.
Given the nature of anycast, no answer could be authoritative for
all of the players.
As for easy to remember addresses, why bother asking IANA for
something that IANA is unlikely to be able to provide? Or if you
meant multicast instead of anycast, what about TCP/53?
What about DHCP? Should customers who can't find and understand your
resolver's address on your easy to use web page setup instructions be
typing any DNS server addresses? How can a customer that can't find
and type your DNS sever's address handle configuring the /28 (or
whatever) block you've assigned? If DHCP does that job, then why not
let it also handle DNS?
It might be best to terminate customers that are too smart by half
and hire the IT consultancy run by the neighbor's script kiddie to
improve your DHCP answers, because they're likely to be infinite
sources of trouble.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations