(thread fork) On 5/17/2012 3:46 PM, Stephane Bortzmeyer wrote: > ... Also, the problem you mention (different results from different > resolvers, unlike the original DNS model of eventual consistency, with > eventual meaning a very short time) is already a reality: we have > DNSSEC issues, we have network issues, we have censorship, we have > lying resolvers... Today, we already cannot assume that a DNS answer > will be the same everywhere. dig is no longer sufficient to debug, we > need a distributed monitoring.
on that narrow topic, let me say again that any recursive dns operator including isp, university, enterprise, open, soho, or other... is welcomed and requested to share their cache miss traffic with ISC via our Security Information Exchange (SIE). you've all been listening to me ask for this since 2008 or so, but since stephane has shined the policy spotlight on the telemetry problem, i'll take the bait. the way this works is, RDNS operators download and install our "nmsg" software. it's BSD licensed, open source, and takes very little time to set up and very little in the way of cpu time, disk space, or network bandwidth to operate. your server then sends ISC a copy of its server-to-server traffic -- so, there's no PII, no end-user IP addresses, etc. your server need not be running BIND; the "nmsg" software uses BPF (so, like tcpdump). when we get your data we will broadcast it in real time to a tight and well-vetted audience of academic and commercial DNS and security researchers, and we throw it away. some of these researchers will use your "cache miss" traffic to build Passive DNS databases by which they can re-aggregate the content of DNS one transaction at a time, with some impressive permuted indexing and cross correlation opportunities. one of the researchers who will hear your data and build a Passive DNS database out of it is ISC itself. our passive dns system is online at https://dnsdb.isc.org/ and access to it is free for low volume non-commercial use (so: law enforcement is welcome). but the point of mentioning all of this is, we don't want your data for our own private purposes -- we want all of the trustworthy and competent do-gooders in the world (even the commercial ones) to have access to it. think about passive dns for your RDNS servers, even if you don't also decide to slave the root zone there. more information is available on the web at http://rsf.isc.org/. paul -- "I suspect I'm not known as a font of optimism." (VJS, 2012) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
