[106721] in North American Network Operators' Group
Re: maybe a dumb idea on how to fix the dns problems i don't know....
daemon@ATHENA.MIT.EDU (Colin Alston)
Mon Aug 11 08:38:28 2008
Date: Mon, 11 Aug 2008 14:38:07 +0200
From: Colin Alston <karnaugh@karnaugh.za.net>
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: <200808111210.m7BCAQSB087205@aurora.sol.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Joe Greco wrote:
>> Unix machines set up by anyone with half a brain run a local caching
>> server, and use forwarders. IE, the nameserver process can establish a
>> persistent TCP connection to its trusted forwarders, if we just let it.
>
> Organizations often choose not to do this because doing so involves more
> risk and more things to update when the next vulnerability appears. In
> many cases, you are suggesting additional complexity and management
> requirements. A hosting company, for example, might have 20 racks of
> machines with 40 machines each, which is 800 servers. If half of those
> are UNIX, then you're talking about 402 nameservers instead of just 2.
[Customers] <--/UDP/--> [DNS Cache] <--/TCP/--> [DNS servers]
Not so?
Of course, one shouldn't let the rest of the internet touch your DNS
Cache query interface... but that's just obvious.
I mentioned this a while ago though, so I demand credit ;P Also, I think
there is probably an IETF DNS WG list where this fits on topic (I have
no idea what it may be though).
