[dns-operations] resolvers considered harmful
Matthew Pounsett
matt at conundrum.com
Wed Oct 22 17:29:22 UTC 2014
On Oct 22, 2014, at 13:16 , Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> On Wed, Oct 22, 2014 at 12:47:39PM -0400, Mark Allman wrote:
>
>> leaving recursive resolution to the clients. We show that the two
>> primary costs of this approach---loss of performance and an increase
>> in system load---are modest and therefore conclude that this approach
>> is beneficial for strengthening the DNS by reducing the attack
>> surface.
>
> As long as you only count costs _to you_, externalizing costs is often
> a good idea.
>
> There's a third cost here, and that is a large increase in costs to
> authoritative server operators.
>
> That might be worth trading off, but it won't do to pretend that isn't
> a cost that's incurred.
The paper also appears to make the assumption that eliminating existing resolvers is a thing we can do. Open recursive resolvers won’t go away simply because we, as an industry, decide to stop setting up new ones. There’s no way to prevent them from sending queries (or to selectively block them), and they are almost by definition unmanaged, so we cannot expect they will be taken offline by their respective administrators.
More information about the dns-operations
mailing list