[dns-operations] resolvers considered harmful

David Conrad drc at virtualized.org
Thu Oct 23 15:11:30 UTC 2014


Hi,

On Oct 23, 2014, at 6:29 AM, Jelte Jansen <jelte.jansen at sidn.nl> wrote:
> I don't think there's an essential difference between a resolver at the
> edge and a shared resolver in any other way than the 'shared' part.

Yep, although that obviously has impact implications (fewer potential victims of a successful attack).

> One 'type' it haven't seen discussed it the root
> servers. Perhaps it won't be noticed in all the garbage they get right
> now, but perhaps the garbage they get will increase by a lot.

In addition to moving the resolvers to the edge, we could also include mirroring the root zone in those resolvers (a la Warren's draft). I believe that would significantly reduce the traffic to the root servers, even if there were a vast increase in the number of resolvers.  Of course, that doesn't help auth server operators farther down the tree...

> I do not think putting multiple questions in one request isn't reliably
> possible without heavy protocol changes;

I presume you mean "is" not "isn't".  Not sure it would require 'heavy' protocol changes -- I suspect all it would take would be to document how the multiple questions are packed into the query and how the multiple answers to those questions are packed into and parsed from the response. Since the question is included in the response, it shouldn't be too hard, just a small matter of programming... (:)).

> sure the protocol doesn't
> forbid adding more records to the question section, but it doesn't
> really have any way to answer them either; mostly because there is only
> one rcode field. So I don't think that option is as easy as the paper
> makes it out to be.

Agreed -- it would require redeployment of the entire infrastructure (albeit that could be done in a backwards compatible way). However, I actually think this would be a good enhancement to the DNS for performance/latency reduction/efficiency reasons.

Regards,
-drc


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/d6710780/attachment.sig>


More information about the dns-operations mailing list