[dns-operations] resolvers considered harmful

Mark Allman mallman at icir.org
Thu Oct 23 15:23:27 UTC 2014

> "simply" on their own moves the entire query load of all endpoints
> (billions) onto the authoritative nameservers only. Do you really
> propose a billion clients should perform lookups against my 3 poor
> nameservers for nohats.ca.?

Well ....

  - All billions of clients are not interested in nohats.ca so trying to
    compare billions of clients against your three nameservers is a red
  - I don't know what your load is, but do you have any idea how much
    your load will increase if shared resolvers did not shield you from
    some of it?  We quantify this a little in our paper (for .com).  We
    should use numbers to talk about these things instead of just waving
    our hands at some boogie man.

  - And, I'd spin this around on you ... You clearly care about your 3
    poor nameservers.  That is natural and rational.  But, why do you
    think it is someone else's job to run a cache to shield you from
    load?  Why should we at ICSI run a shared resolver for your benefit?
    If we get benefit and it happens to help you, too, great.  But, I
    can tell you that we certainly don't factor your load into our
    considerations of how to run our infrastructure.

> Suggesting to dismantle the largest distributed database in the world
> and thinking you can get away with it is a very ill thought plan not
> rooted in reality.

Well, ...

  - We root our argument in some empiricalism, anyway.  That is more
    than you're doing.  One can always get more data and more vantage
    points, but at least let's not pretend we just waved our hands here,

  - We are not talking about dismantling the distributed database.  We
    are talking about eliminating optional caches from the system.  The
    actual database embodied in the auth servers remains untouched.  I
    have had many conversations with people over the last year about
    this idea and I always find it sort of interesting that resolvers
    are viewed as a required component of the system and that it so much
    blows people's minds that the system could or should work without

    (Yet, web caches---which one can view as pretty analogous---do not
    seem to rise to the level.  I.e., folks seem to view them for what
    they are---perhaps a helping hand---and not as some crucial
    component of the system.)

  - Doing what we have always done because we have always done it and
    not thinking about the implications of that seems like a lousy plan,
    too, BTW.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/cee0846b/attachment.sig>

More information about the dns-operations mailing list