[dns-operations] resolvers considered harmful

Paul Vixie paul at redbarn.org
Wed Oct 22 18:06:27 UTC 2014

> Matthew Pounsett <mailto:matt at conundrum.com>
> Wednesday, October 22, 2014 10:29 AM
> The paper also appears to make the assumption that eliminating
> existing resolvers is a thing we can do. Open recursive resolvers
> won’t go away simply because we, as an industry, decide to stop
> setting up new ones. There’s no way to prevent them from sending
> queries (or to selectively block them), and they are almost by
> definition unmanaged, so we cannot expect they will be taken offline
> by their respective administrators.

well, yes, and the fact that the vast majority current stub resolvers
have at least one layer of NAT between them and the internet core (where
the authority servers) are, as well as IPS and firewall, means that
responses to RD=0 queries usually won't get in, and RD=0 queries will
even more often not go out. (UDP is evil, didn't you know.) we can move
the stubs to an HTTPS transport if we can agree on a RESTful query API
and either JSON or XML schema for responses, but it is not in our power
to make UDP, especially fragmented UDP as in EDNS, work in the last mile.

given that this came from ICIR, they ought to have known that. so it's
going to be an interesting debate, methinks.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/031bada8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/031bada8/attachment.jpg>

More information about the dns-operations mailing list