[dns-operations] resolvers considered harmful

Paul Wouters paul at nohats.ca
Thu Oct 23 13:10:05 UTC 2014

On Wed, 22 Oct 2014, Mark Allman wrote:

> That is not what we are proposing.  We are not suggesting resolvers be
> *moved*, but rather *removed*.  That is, clients simply do name lookup
> on their own.

"simply" on their own moves the entire query load of all endpoints
(billions) onto the authoritative nameservers only. Do you really
propose a billion clients should perform lookups against my 3 poor
nameservers for nohats.ca.?

Have you talked to operators world wide on what the query load on their
caching resolvers is?

(please do not come back with djb quoted numbers, he was proven wrong on
  his fabricated caching statistics numbers by Dan Kaminsky and me)

> Let me be clear.... I am not arguing against DNSSEC.  A crypto signed
> record is always better than a clear text record.  But, DNSSEC is still
> not here and it seems to me that factoring out some of the
> intermediaries that we know sometimes both play games and have games
> played on them may well be a useful path.

validating stubs are perfectly capable of dealing with dnssec-forged
replies from intermediate caches, and can try to work their way around
those. Those are the exceptions and leave the intermediary caching
system intact. Suggesting to dismantle the largest distributed database
in the world and thinking you can get away with it is a very ill thought
plan not rooted in reality.


More information about the dns-operations mailing list