[dns-operations] resolvers considered harmful
Mark Allman
mallman at icir.org
Thu Oct 23 15:23:27 UTC 2014
> "simply" on their own moves the entire query load of all endpoints
> (billions) onto the authoritative nameservers only. Do you really
> propose a billion clients should perform lookups against my 3 poor
> nameservers for nohats.ca.?
Well ....
- All billions of clients are not interested in nohats.ca so trying to
compare billions of clients against your three nameservers is a red
herring.
- I don't know what your load is, but do you have any idea how much
your load will increase if shared resolvers did not shield you from
some of it? We quantify this a little in our paper (for .com). We
should use numbers to talk about these things instead of just waving
our hands at some boogie man.
- And, I'd spin this around on you ... You clearly care about your 3
poor nameservers. That is natural and rational. But, why do you
think it is someone else's job to run a cache to shield you from
load? Why should we at ICSI run a shared resolver for your benefit?
If we get benefit and it happens to help you, too, great. But, I
can tell you that we certainly don't factor your load into our
considerations of how to run our infrastructure.
> Suggesting to dismantle the largest distributed database in the world
> and thinking you can get away with it is a very ill thought plan not
> rooted in reality.
Well, ...
- We root our argument in some empiricalism, anyway. That is more
than you're doing. One can always get more data and more vantage
points, but at least let's not pretend we just waved our hands here,
please.
- We are not talking about dismantling the distributed database. We
are talking about eliminating optional caches from the system. The
actual database embodied in the auth servers remains untouched. I
have had many conversations with people over the last year about
this idea and I always find it sort of interesting that resolvers
are viewed as a required component of the system and that it so much
blows people's minds that the system could or should work without
them.
(Yet, web caches---which one can view as pretty analogous---do not
seem to rise to the level. I.e., folks seem to view them for what
they are---perhaps a helping hand---and not as some crucial
component of the system.)
- Doing what we have always done because we have always done it and
not thinking about the implications of that seems like a lousy plan,
too, BTW.
allman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/cee0846b/attachment.sig>
More information about the dns-operations
mailing list