On Oct 14, 2013, at 7:08 PM, Paul Hoffman <[email protected]> wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its own recursive resolver for its employees, or > should it continue to rely on its ISP?
Given the information provided (and interpolating): they should run their own recursive servers. Running a recursive server is (should be) far easier than running the vast majority of other "local servers". If it isn't, they're using the wrong recursive server. With the exception of root key rollover, running a recursive server is a fire-and-forget type service (modulo some initial configuration to avoid being an open resolver). Given the role DNS has, if they do not run their own resolver they are investing a vast amount of trust both in the resolver operator and the wire (air, in the case of wireless) between their stubs and their resolver. That trust is constantly being violated through crap like redirection. Further, in a DNSSEC environment, validation is pointless if the channel between the resolver and the stub is subject to attack. Until that channel can be protected, it is far safer to run local resolvers if you are interested in security. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
